We gaan even terug in de tijd naar 24 en 25 Feb 2022:
Kim Zetter (journalist o.a. bekend van het boek
Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon) heeft een interessante blogpost geschreven over
Radiation Spikes at Chernobyl: A Mystery Few Seem Interested in Solving. Dit heeft betrekking op de CEZ (Chernobyl Exclusion Zone) van zo'n 1000 vierkante mijl. Dit plaatje geeft weer wat destijds gerapporteerd werd:
Ruben Santamarta heeft hier onderzoek naar gedaan, en dit onderzoek is uitgekomen op 9 Augustus 2023 op Blackhat USA. Hij is een bekende hacker die eerder (2018) met baanbrekend onderzoek kwam
Researcher Successfully Hacked In-Flight Airplanes - From the Ground (via satellieten) en op Blackhat 2017
Go Nuclear: Breaking Radiation
Monitoring Devices heeft een blog post hierover (hier wordt ook gelinkt naar de PDF op Google Drive):
Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of Fabrication. Hij rapporteerde eerder ook over de Viasat hack welke plaatsvond op dag van begin invasie van geheel UA.
Hetzelfde spul heeft al eerder gefaald:
Karine Herviou, Deputy Director General of France’s IRSN, stated that they could not find any coherent explanation for the reported radiation spikes. For me this set off an alarm since these kinds of statements are extremely rare in the dosimetry field; I have not been able to find public records of any radiological event that has not been properly explained and documented. As the reader will notice, but I would like to anticipate, in the context of this research the IRSN statements have a considerable weight due to the following reasons:
1. France is right behind the US in terms of nuclear power generation, so the 2nd largest in the world.
2. France, at a nationwide level, uses the same radiation monitoring equipment that was deployed in Chernobyl.
Nog even terug naar dat onderzoek uitgekomen op Blackhat 2017:
I think this is the right moment to explain why a nuclear engineer got in touch to tip me off about the Chernobyl events. At BlackHat USA in 2017 I presented my paper, ‘Go Nuclear: Breaking Radiation Monitoring Devices’. That research disclosed vulnerabilities, that were acknowledged but not patched, in different radiation monitoring devices. Among the reported issues, I managed to break, from both firmware and radio perspective, a custom RF protocol (WRM2) implemented by Mirion. The protocol in question was used for some of their wireless Radiation Monitoring Devices, including those deployed at Nuclear Power Plants in the US and other countries. One of the attack scenarios I elaborated in the paper, a ‘simulated radiation leak’, was outlined as follows:
[plaatje op pagina 7/98 van de PDF waar het scenario wordt omschreven]
Santamarta heeft flink tijd gestoken in het onderzoek het afgelopen jaar en denkt genoeg bewijs gevonden te hebben om dit scenario serieus te overwegen. Maar dat maakt niet uit want het doel van zijn onderzoek delen is zodat iedereen het onafhankelijk kan verifiëren:
After spending a significant amount of time working on this research in the last year, I think I have collected enough evidence to seriously consider the possibility that these radiation spikes were fabricated. My opinion, however, is irrelevant, because the only important aspect of this research is that all the data herein presented can be independently verified by anyone willing to do so. In fact, that is the objective of this paper
Het onderzoek is opgesplitst in twee disciplines: natuurkunde en cybersecurity:
As this research might attract readers from two different disciplines such as physics and security, I am breaking down the introductory section into two main areas: ‘Physical’ and ‘Cyber’. These sections are intended to provide the proper technical background to understand why the reported radiation spikes, not only do not comply with either the scientific literature or the most basic concepts of nuclear physics, but also have most of the elements to expect them to be part of a ‘cyber’ operation
We beginnen met het eerste onderwerp (overigens niet mijn expertise ...)
In April 2020, the CEZ suffered the worst forest fires ever recorded to date, which resuspended a significant amount of 137Cs that even reached Kiev. Below we can also see Checkpoint Leliv, but this time engulfed by an intense smoke plume. This picture introduces one of the main issues elaborated in this research: the same radiation monitoring network that detected radiation spikes during the invasion did not report any during these wildfires.
Voor de foto, zie de PDF pagina 10 en 11. Want op 24 en 25 Feb lag daar sneeuw, terwijl in April 2020 het daar droog was. En dat is opmerkelijk:
Intuitively, and empirically, we know that by driving on a dry, unpaved road we will stir up more dust than in doing so over a damp, paved surface, but there should be an approach to validate that this conclusion is scientifically valid.
Vervolgens linkt hij naar wetenschappelijke artikelen die dit wetenschappelijk onderstrepen.
Vervolgens komt een analyse welke voertuigen aldaar zouden hebben gereden en een vergelijking met hoe dat zit met stof en landbouwvoertuigen.
De resuspension factor gaat exponentieel naar beneden als de grond vochtig is:
This finding with regards to humidity matches what has been observed in other experiments. For instance, Wagenpfeil et al. (1999), in the paper ‘Resuspension of Coarse Particles in the Region of Chernobyl’, found that the resuspension factor (ratio of activity in the air to the surface deposit) decreases exponentially when the soil moisture increases.
The experiments referenced in this paragraph describe two interesting concepts:
1. After a rapid period of resuspension due to the initial traffic activity, the remaining vehicles would not be contributing that much to the resuspension rate, because basically there are no materials left to be resuspended. This behavior is exactly what happened in Denmark in 1986, just a few months after the Chernobyl accident.
Please note that, in 2022, it is unrealistic to even consider a substantial resuspension, as roads in the CEZ have been decontaminated since 1989. In addition to this, we must bear in mind the large number of vehicles that have been circulating throughout the CEZ during the last 30 years
En daar is ook data van beschikbaar.
Grovere deeltjes dalen sneller
Coarser particles are resuspended more rapidly, and they have also higher deposition velocities. Once resuspended, they will be transported and deposited according to their aerodynamics, the climatological conditions, and so on.
We can read yet another empirical demonstration of this process in the paper ‘Measurement of Resuspended Aerosol in the Chernobyl Area
As we might expect, the observed peaks correspond to the period when a big tractor is harrowing, followed by a sharp decrease which corresponds to periods of inactivity. Please note the time intervals for these physical processes to occur are in minutes, this will be important later.
Voor het plaatje zie pagina 19 in de PDF.
As we have seen, the physical processes that had to take place in the CEZ to give any credence to the ‘resuspension of soil’ explanation are the exact opposite of what has been described in the scientific literature. I find it hard to believe that this explanation was even considered plausible in the first place, but the situation at that moment was certainly complicated.
(Vetgedrukt door mij.)
Vervolgens citeert hij Eugenio Gil:
If there had been a very intense movement of vehicles, especially with chains, in the most contaminated area, a few kilometers around the plant, it is possible that slight increases in the concentration of radioactive aerosols would have been observed in the air, as a consequence of the resuspension of radioactive materials deposited in the ground, which after 35 years have penetrated into subsoil layers. However, I doubt that they will have an impact on the level of direct radiation indicated by the graphs submitted. (Gil, 2022)
(Vetgedrukt door mij.)
Zo dat was dan het natuurkunde deel.
Nu het cyber gedeelte:
As we can see in the following image, each of these stations includes a GammaTRACER area monitor with a SkyLINK radio transmitter.
Dit is het nieuwe systeem, АСКРС of ASKRS. Het oude, ASKRO, dateert van 1986.
The other devices we find as part of these monitoring stations are WXT-52033 weather stations and АУРА-0234 aerosol analysis units (Petryanov filters).
Deze zouden in theorie ook Cesium 137 kunnen meten maar hij heeft besloten om te focussen op de GammaTRACER.
Vervolgens heeft hij bij diverse publieke universititen de software kunnen inspecteren, en wel een versie van DataEXPERT die dicht bij de versie die bij Chernobyl in gebruik was:
These devices are usually restricted in terms of commercialization, so as an independent researcher I had to come up with an alternative approach. Fortunately, after several emails and phone calls, I eventually found some public universities that allowed me to visit their radiological laboratories to inspect equipment and software related to this research, including DataEXPERT (v4.0904B0, close to the version installed in Chernobyl) and DataVIEW.
De stations zijn autonoom:
It contains 2 batteries that allow the device to operate autonomously for up to 10 years, depending on the configuration of measurement cycles, but usually run for 5 years. This is important to note, because it means that power cuts do not affect GammaTRACER devices, contrary to what it has been published.
Vervolgens legt hij uit hoe ze meten:
Depending on the model, the device may contain one or two energy-compensated VacuTec 39 Geiger- Müller tubes, for high and low dose rates. In this kind of device, in general terms, the voltage pulses generated in the tube’s anode go through a signal conditioning stage (see ‘Figure 33 Hardware - GammaTRACER Basic’) and are then processed by firmware to calculate the H*(10)
The GammaTRACER models deployed in the CEZ contain two independent VacuTec GM tubes (70003A40).
En dan hoe ze recorden:
The GammaTRACER can operate in two modes: ‘Normal’ and ‘Emergency’. The latter is automatically triggered when the detected H*(10) exceeds the configured control level for the radiation monitoring station. The following table shows this configuration for the regulatory stations in the CEZ.
Het verschil tussen deze twee modes:
These two different modes mainly impact the interval of the measurement and transmission cycles, which are fully configurable as well. For instance, the GammaTRACER devices in the CEZ were configured to transmit the H*(10) every hour when running in ‘Normal’ mode and every two minutes under ‘Emergency’.
Maar meten doen ze niet om de 2 of 60 minuten, dat doen ze constant, en vervolgens sturen ze een gemiddelde:
It should be noted that the hourly transmission cycle does not mean that the GammaTRACER only measures gamma levels every 60 minutes. In actuality, the GammaTRACER probe measures the radioactivity levels constantly throughout the hour period, every hour, an average value is then calculated, internally logged and transmitted
Vervolgens komt een chipcomponenten analyse van de GammaTRACER en GammaTRACER XL (RTC, MCU, RAM, radio chip, enz). Die ga ik nu even niet uitleggen of quoten maar is, ook gezien het tweakers.net is, superinteressant (pagina 27 van de PDF).
Ze kunnen offline in het RAM (Samsung, 128 kilobyte) 12,800 records opslaan. Deze worden steeds overschreven in een cyclus. Deze records bevatten naast de meting zelf ook temperatuur en een integriteit assessment over de meting.
Dan het stukje over de transmitter, SkyLINK (dit is een transmitter, deze wordt hier gebruikt). Niet te verwarren met ShortLINK dat ook bestaat en een transreceiver betreft. Deze kan kleine blokjes versturen van 512 bit aan data. Er kunnen 100 transmitters per base station in gebruik worden genomen. Er wordt gebruik gemaakt van CRC-32 errorcorrectie. Het vermogen is 165 dB omnidirection antennes en 185 dB directional (30 graden). Het bereik line of sight zonder obstakels meer dan 100 km, lichte obstakels zoals bomen, gebouwen, bergen 10-50 km en zware obstakels zoals industrieel terrein 3-10 km.
Bovenstaande is van pagina 28:
Technical information about this protocol on the Internet is scarce, except for on the website of a Russian company (Soyuzatompribor46) that participated in the ASKRS deployment in 2007, together with
Ukraine’s State Specialized Enterprise Ecocentre and Ukratom Prilad.
Dit alles is zeer interessant als je een MITM toe wilt passen.
En de Russen hebben naar hartelust zo'n MITM voor kunnen bereiden want ze gebruiken dezelfde hardware bij hun NPPs:
Radiation monitoring networks based on GammaTRACER area monitors with SkyLINK modules are widely deployed across Europe, in Nuclear Power Plants and other nuclear facilities. The large amount of information that can be found on this Russian website, reveals that Russian NPPs are also usually equipped with these devices.
Ik weet inmiddels eigenlijk wel genoeg. Namelijk een determined actor kan hier op meerdere lagen een MITM op doen. Maar ik zal nog verder lezen.
Want hij heeft het protocol gereversed:
GammaTRACER devices can be locally interfaced in various different ways, such as the RS232 module or a built-in infrared interface present by default, as shown in the following image.
By reverse engineering DataVIEW/DataEXPERT I managed to understand this custom serial protocol and its capabilities.
Voorbeelden:
For instance, we can find timestamps for:
- Last measurement taken
- Last calibration
Configuration parameters:
- Control levels
- Measurement cycles
- Calibration constant
Additionally, there is a specific command implemented in this protocol that is interesting for this research, as it allows for the dumping of all historic measurements internally stored in the device. Please note that the ability to collect internal readings via the infrared/serial interface is a documented feature of the ‘DataVIEW’ software.
Een ander interessant gegeven is dat de data onder normale omstandigheden tot 36 maanden op het RAM opgeslagen blijft:
As a result, assuming the internal storage capacity of 12,800 records and the configuration for measurement cycles (1 hour in ‘Normal’ mode, 2 minutes in ‘Emergency’ mode), we have the situation that months after the Russians withdrew from Chernobyl it could have been possible to collect the data corresponding to the 24th and 25th of February 2022, from those monitoring stations that allegedly recorded radiation spikes. However, it is unlikely that more than 18 months later the original readings can be found intact in the static RAM.
Een ander gemaakt punt is dat de lokale RTC (Real-Time Clock) de timestamps bepaald.
It is also worth clarifying that the timestamps of the measurements are generated using the GammaTRACER’s own Real-Time Clock (See Figure 33 Hardware - GammaTRACER Basic’). This means that the timestamps of the reported spikes correspond to the internal GammaTRACER clock, instead of the clock of any other external system in charge of either dumping or receiving the readings.
Dit nav DataVIEW source code analyse.
Nog meer over GammaTRACER,
belangrijke details:
There are other commands that might be used as ‘anti-forensics’ methods:
1. The ‘Reset’ command will delete the measurements from the internal storage.
2. The ‘Firmware update’ command can also be abused to wipe data.
Het lijkt er op dat IAEA het huiswerk niet goed heeft gedaan:
While reading this IAEA report50 about the reconstruction of the Radiation Monitoring Network in the CEZ I found this:
As far as environmental monitoring is concerned, many of the fixed and mobile monitoring stations were damaged and were out of service.(IAEA, 2022)
Vervolgens komt hij met zeer interessante speculaties en scenarios, zie pagina 31.
Daarna gaat het over het Central Processing Station, het SkyLINK base station / de receiver.
The Base Station is comprised of:
1. UPS unit
2. Downconverter
3. DSP modules
4. Computer
..en de antennes.
DataEXPERT spul draait op Windows XP maar dat zegt niet zoveel.
Ik kan op de screenshot van pagina 33 niet goed zien of de machine airgapped is
Equipment
- Windows Workstations
- A Windows server (Primary Data Center) where software previously described was installed
- Regular network equipment
- Visual Alarms module
- Three lamps (‘System’, ‘Power’ and ‘Radiation’)
Daarna volgt de tijdlijn van relevante gebeurtenissen. Die is van belang, maar niet uniek in dit onderzoek. Nog wel even het vermelden waard:
February 4
Ukraine holds military drills within the CEZ, in the abandoned town of Pripyat. Nearby radiation monitoring stations did not detect abnormal radiation levels.
De rest gaat allemaal over 24 Feb en later. Alle tijden UA tijd.
20:30
The same statement mentions the exact time when the SNRIU establishes the loss of control over nuclear and radiation facilities inside the CEZ.
20:40
Coincidentally, just ten minutes after the SNRIU formally reports the loss of control over the CEZ, the first spikes in radiation levels were recorded in Pozharne Depo, Benevka, Diyatki, Gornoystapol, Ordzhonikidze, Straholissya and Teremci (KPP) radiation monitoring stations.
Daarna volgt wie de soil theorie verspreidde aan wie.
April 7
First published stories about the destruction left behind in the wake of Russian occupation forces. In a France24 video, Mykola Bespalyi, head of Chernobyl Central Analytical Laboratory reports looted equipment, including a server and, ‘software to predict the development of any unusual situations, for example if a fire started in the CEZ.’ That description matches with the Central Processing Station server that was described in the ‘Cyber’ section, where both Bertin’s DataEXPERT and Ecocentre’s custom software are installed. [Figure 52 SkyLINK alarm lamps] This assumption is reinforced by the fact that the video shows the characteristic alarm lights (see image above) that are installed with GammaTRACER/SkyLINK deployments.
Dit betreft pagina 39/98.
Een week later:
April 14
In a press conference, Yeygen Kramarenko, head of the agency for the Chernobyl Exclusion Zone, confirms that the server in charge of processing data from the radiation monitoring stations ‘has disappeared’.
Vervolgens 7 Juni komt nieuws naar buiten van IAEA dat CEZ netwerk weer werkt. Chernobyl NPP communiceert middels SpaceX.
Tot zover (pagina 42) heb ik het document gelezen. De volgende keer de tweede helft. Dan volgt de technische analyse.
[
Voor 0% gewijzigd door
Jerie op 19-08-2023 18:54
. Reden: lines joinen in quotes voor betere leesbaarheid ]