Radioactivity monitoring and warning system hacked, disabled by attackers

The Spanish police arrested two people under the accusation of tampering with the Red de Alerta a la Radiactividad (RAR). The RAR is part of the Spanish national security systems and in use to monitor gamma radiation levels across the country. The network is managed, operated and maintained by the General Directorate of Civil Protection and Emergencies (DGPCE) of the Ministry of internal affairs.


The RAR network contains more than 804 detection points across the country. Each detection point has at least one sensor plus a control unit. The detection points measure gamma radiation across the country. The network serves as a warning system if there’s a spike in radiation levels. Each sensor unit is connected to the central node located in the control center at the DGPCE headquarters. In addition, there are ten regional nodes and seven associated nodes that allow alternative access to the network, which have more limited management capabilities.

Spain has seven nuclear reactors which together generate about a fifth of the country’s power supply. The RAR system serves to measure radiation levels and raise an alert in case of a detected abnormal level.

The hack

The two suspects are accused of sabotage by disabling more than a third of the RAR sensors. The hackers attacked the computer system and caused the connection of the sensors to fail, reducing their detection capacity even in the close proximity of nuclear power plants.

The intrusion took place between the months of March and June,2021. The attack was directed at the two main components of the network. On the one hand, there was unauthorized access into the computer system itself, the purpose of which was to delete the RAR management web application in the control center. On the other hand, the threat actors attacked over 300 sensors, causing the failure of their connection with the control center and thus reducing the detection capacity of the network.

Inside job

While the motive behind the attack remains unclear, it has become clear that the two accused were responsible for the maintenance program of the RAR system, through a company contracted by the DGPCE. The intimate knowledge of the maintenance program enabled them to pull of this attack.

It also helped them to hide their involvement which made the investigation difficult and time consuming. The arrests came after a year-long investigation that involved raids in Madrid and San Agustín de Guadalix, and the seizure of numerous computer and communications devices related to the attack.

Critical infrastructure

While we tend to think about other things first while discussing critical infrastructure, this warning system qualifies as such because it’s intended to monitor a possible threat to the population. And if anything had happened during the time the system was under attack and only functioning in part, the consequences could have been disastrous.

The post Radioactivity monitoring and warning system hacked, disabled by attackers appeared first on Malwarebytes Labs.