Spanish police arrest two accused of hacking radioactivity alert system

Spain’s National Police said Wednesday that two people have been arrested for allegedly hacking the country’s Radioactivity Alert Network (RAR) and disabling more than one-third of the sensors that are used to monitor excessive radiation levels across the country.

The attack occurred between March and June of 2021, and was allegedly carried out by two individuals who were at one point involved in maintaining the system, which is run by Spain’s General Directorate of Civil Protection and Emergencies (DGPCE). The police did not disclose the names of the arrested individuals, or say what motivated the attack.

“During the investigation it was determined that the two detainees had been responsible for the maintenance program of the RAR system, through a company contracted by the DGPCE, for which they had a deep knowledge of it that made it easier for them to carry out the attacks and helped them in their efforts to mask their authorship, significantly increasing the difficulty of the investigation,” the National Police said in an announcement.

Spain has seven active nuclear reactors that account for 22% of the country’s power generation, according to the International Energy Agency. 

The RAR is a network of 800 sensors that detect gamma radiation across the country, and is designed to serve as a warning system if there’s a spike in radiation levels. Each sensor is connected to a control center at DGPCE’s headquarters in Madrid, which can both collect information from the devices and send outbound orders.

According to the National Police, the attackers gained access to the control center’s computer system to delete the RAR management application. Additionally, they attacked more than 300 sensors over the course of two months, severing their connection to the control center and reducing its ability to detect elevated radiation levels.

“The two detainees, former workers, attacked the computer system and caused the connection of the sensors to fail, reducing their detection capacity even in the environment of nuclear power plants,” the police said.

The arrests came after a year-long investigation that involved raids in Madrid and San Agustín de Guadalix of two homes and a company, and the seizure of “numerous computer and communications devices” related to the attack.

Attacks on nuclear power infrastructure are relatively rare, but not unheard of. In March, the U.S. unsealed charges against four Russian officials accused of targeting critical infrastructure including a Kansas nuclear power plant. In 2017, a security researcher exposed vulnerabilities that could have been used to spoof or disable radioactivity sensors.