Spain’s national police say they have arrested two former government workers suspected of breaking into the computer network of the country’s radioactivity alert system (RAR) and disabling more than a third of its sensors.
The intrusion happened between March and June 2021, and the two suspects worked for a company contracted by Spain’s General Directorate of Civil Protection and Emergencies (DGPCE), according to officers. Investigators searched two homes and one company in Madrid and San Agustín de Guadalix, and said they found “numerous computer and communications devices related to the facts investigated.”
The year-long probe eventually traced the cyberattack to a computer “in the public-use network of a well-known establishment of hospitality in the center of Madrid,” which the cops said allowed them to identify the perpetrators.
“During the investigation it was determined that the two detainees had been responsible for the maintenance program of the RAR system, through a company contracted by the DGPCE, for which they had in-depth knowledge of it, which made it easier for them to carry out the attacks and helped them in their efforts to mask their authorship, significantly increasing the difficulty of the investigation,” the police said in a statement.
Law enforcement didn’t provide additional details about the detainees, or suggest why the two ex-workers attacked the county’s nuclear infrastructure.
Spain operates seven nuclear reactors [PDF] that generate 22 percent of the country’s power.
The RAR system is a network of 800 gamma radiation sensors deployed throughout the nation that monitor radiation levels and are used to generate alerts in the case of excessive levels. Each sensor in this network reports its measurements to a control center at the DGPCE headquarters, which sends commands to the individual sensors.
According to the cops, the network security breach had two parts.
One, it’s alleged the suspects broke into the computer system and deleted the RAR management web application from the control center. Two, over the course of a couple of months, the pair allegedly infiltrated more than 300 of the sensors, causing the compromised devices to fail and not be able to communicate with the control center, thus reducing the network’s detection capacity.
The arrests come as law enforcement and cybersecurity officials in Europe and the US struggle to shore up critical infrastructure including aging power plants amid warnings that Russian criminals and agents may target these deployments as the war in Ukraine slogs on.
And in April, CISA, along with the US Department of Energy, NSA, and FBI warned that cybercriminals have created custom tools to operate a range of industrial control system and supervisory control and data acquisition devices. ®