Let’s talk about hacktivism, nuclear installations, and radiation. What happens when the power regulating system and the emergency safety systems get shut down at a nuclear power plant? The reactor core heats with nothing to cool it, and it can explode. This scenario actually occurred in my lifetime.
But let me ask you this: What could happen if a value were changed in the output coils of a Modbus device operating within a nuclear power plant? The worst-case scenario is simple.
Changes to output coil values could create the perfect conditions that lead to a loss of reactor control, core damage, and, ultimately, a nuclear meltdown.
Let’s not forget the radioactive material carried by the wind, killing those closest to the incident and contaminating everything in its path, which can be carried for hundreds of miles across several countries.
I believe we should all ask, why are hacktivists targeting nuclear power plants and non-nuclear power facilities in Russia to protest the war against Ukraine? Also, in recent news, the Negev Nuclear Research Center in Israel allegedly was also attacked as an anti-war demonstration.
To understand the present-day ramifications of so-called hacktivists targeting nuclear power stations in protest of wars, we need to examine the Chernobyl incident and use it as a model in order to understand the worst-case scenario.
Remembering Chernobyl
When Chernobyl exploded on April 26th, 1986, it triggered a sequence of explosions that unleashed a colossal fireball, releasing between 50 and 185 million curies of radionuclides (radioactive material) into the atmosphere and spewing 160 tons of radioactive ash.
The magnitude of this radioactive release far exceeded that of the atomic bombs dropped on Hiroshima and Nagasaki, Japan, representing several times the radioactivity. The force was so powerful that it blasted the heavy steel and concrete lid completely off.
The radioactive material didn’t just stay put. It was carried by the wind across Belarus, Russia, and Ukraine, and traces of the radiation were even discovered in France and Italy. Millions of acres of forestry became corrupted with radiation.
While records of the number of deaths are a matter of debate, the UN estimates that 50 people died from the effects of the disaster. However, in 2005, the UN predicted that 4,000 might die resulting from exposure to the radiation of that event.
Chernobyl remains a ghost town to this day.
Hacktivists target nuclear weapons facility
On March 11th, 2024, a hacktivist subgroup within Anonymous allegedly launched an attack against the Negev Nuclear Research Center in Dimona, Israel, which is home to a nuclear reactor. This would have allowed them to access the center’s industrial control system (ICS) by exploiting a well-known flaw in their Modbus protocol.
The group posted the following message on their Twitter feed a day before the attack:
This is a transcript of their video detailing their ideological pursuit for justifying the planned attack:
“From next days our next operations to wipe nuclear data and to deactivate nuclear centers will be started. There is no difference for us between Netanyahu, Gantz or any other idiot. Your leaders do not know the meaning of humanity and nuclear weapon is dangerous in their hand. We do not intend to have a nuclear explosion, but this operation is dangerous, and anything might happen. So we warn you not to approach nuclear centers and to evacuate the cities which are near the nuclear power plants, until the end of our operations. This is a serious warning.”
It’s interesting to note that in this case and in previous cases, ideologically driven hackers are more than willing to attack critical industrial controls involving nuclear materials such as nuclear fission reactors while clearly acknowledging the possibility of causing massive casualties by mistake – as an anti-war demonstration.
The reasoning behind such attacks defies all sound logic. Think about it. The declaration for justifying such an attack against a nuclear installation was to protest against Israeli leadership not knowing the meaning of humanity while defending that belief by condoning the possibility that their attack could kill people.
The video shows a cinematic depiction of a massive nuclear explosion, sending up a mushroom cloud and plumes of smoke, including a blasting shockwave reaching across a heavily populated city. The bottom left corner of the video depicts a spinning radiation symbol.
Imagine this: the radioactive fallout from the Chernobyl meltdown traveled 150 thousand square kilometers or 57,915 square miles. Interestingly enough, the state of Israel only consists of approximately 8,550 square miles.
If radioactive material entered the atmosphere from an explosion, it could kill not only Israelis but also Palestinians. Foreseeably so, the wind could carry that radiation into Israel’s neighboring countries, such as Lebanon, Syria, Jordan, and Egypt, and more, since Israel is positioned along the coastline of the Mediterranean.
Earlier last year, another hacktivist group targeted the Leningrad Nuclear Power Plant in the Sosnoviy Bor region within Russia. In both this case and the one above, the hackers understood the possibility of causing a meltdown if the attack did not go as planned.
Let us not forget about the elaborate cyberattack planned by another hacktivist group, GhostSec, who managed to successfully cause a maxi-explosion at the Gysinoozerskaya hydro-electric power plant in Russia last Summer.
The quest is: where are hacktivists going with this?
Modbus, an antedated protocol
Modbus has been around for a long time. It was developed by Modicon in 1979. Although Modbus protocols have been managed by the Modbus Organization since 2004, it is by all accounts a very insecure protocol, as it offers no encryption.
Furthermore, attackers can discover ICS-based Modbus devices simply because the TCP/IP port it uses is often public facing the internet. Because of this, attackers are able to discover them through a simple port scan, after which the attack phase can begin in order to remotely access the device and alter sensitive functions.
In the context of the Metasploit framework, an attacker can alter the coil values associated with Modbus running on the target ICS, which controls digital output points that can communicate with relays that control how equipment and devices function within the industrial control environment.
These coils can control anything from valves, motors, pumps, lights, Heating, ventilation and air conditioning (HVAC) thermostats, and temperature sensors, including the management of the cooling process within a nuclear power plant.
Imagine if one of the values of these coils was arbitrarily manipulated by an unskilled outside cyberthreat, especially if it was related to the cooling functions of the nuclear reaction process. If the cooling process is delayed or arbitrarily disabled, it would cause the nuclear fuel rods to overheat, causing the reactor to become unstable.
Chernobyl.
Those involved in Modbus attacks against nuclear installations always make the connection with Chernobyl, yet have no problem launching their attacks anyway and publicly accept the possibility of causing a mass casualty world disaster – to protest against wars.
It goes without saying that Modbus protocol security is long overdue and desperately needs an overhaul before ideologically driven hackers end up changing the world. The devil is in the details. Modbus offers no encryption therefore the data it handles is in plain text and can be easily intercepted by cyber intruders.
Its authentication scheme is weak. It’s vulnerable to Denial of Service attacks, and remote access to Modbus is suicide since anything that can be found facing the public internet is a potential target. The real question is, when will the industry start to take threats like this seriously? Before or after another explosion?
I suppose we will all find out, one way or another.
Your email address will not be published. Required fields are markedmarked