Illicit cryptocurrency mining isn’t usually associated with state-level security compromises. Then again, Bitcoin hackers don’t often target nuclear power plants. Yet according to a report on the Ukrainian UNIAN news website, that’s exactly what happened at South Ukraine’s second-largest nuclear power plant, south of Kiev in the city of Yuzhnoukrainsk.
What was found during the nuclear power plant raid?
Detectives from the Security Service of Ukraine (SBU) searched the Yuzhnoukrainsk nuclear power plant on July 10. During the raids, two bespoke cryptocurrency mining hardware rigs were seized from office 104 in the plant’s administrative wing, along with fiber-optic and network cables.
Coindesk has reported that, on the same day, “a National Guard of Ukraine branch uncovered additional crypto mining equipment at the same nuclear plant. In this search and seizure, 16 GPU video cards, seven hard drives, two solid-state drives and routers were uncovered.” This was at the barracks of the National Guard tasked with protecting the plant. The Russian international television network RT has said that “the people who were supposed to be defending the highly dangerous piece of Ukrainian infrastructure could well have been behind the scheme.”
How was the nuclear power plant security compromised?
The UNIAN report, via Cointelegraph, stated that the cryptominers “compromised the nuclear facility’s security via their mining setup internet connection,” and “ended up leaking classified information on the plant’s physical protection system.”
According to a ZDNet report, the SBU is investigating the incident “as a potential breach of state secrets due to the classification of nuclear power plants as critical infrastructure.” As well as the apparent intent to misappropriate electricity and internet resources to mine cryptocurrency, the SBU is also investigating other lines of inquiry. One of these being whether the mining rigs could have been used to access the network to steal classified security data relating to the nuclear power plant.
At this stage, then, it remains unclear whether any classified data was actually compromised or just that the potential was there. Just as it remains unclear how many people have been charged in connection with the incident and whether any of them were members of the National Guard.
The industrial cybersecurity expert view
Phil Neray, vice president of Industrial Cybersecurity at CyberX, said that the unauthorized devices, plus the internet connection on the internal network, “likely went undetected for months or longer, exposing critical infrastructure to potentially catastrophic safety issues.” Neray suggested that this was a perfect example of why everyone should employ a “trust but verify” security model. “Even with the strictest policies and regulations in the world,” Neray concluded, “it’s all theoretical if you aren’t continuously monitoring for unusual or unauthorized activity.”