Insider Threatshigh

CERN Logic Bomb: IT Worker Plants Malware Set to Activate After Resignation

A systems administrator at CERN's Large Hadron Collider project planted a logic bomb designed to destabilise CERN's computing infrastructure. It was discovered and disarmed before detonating — just as the LHC was preparing for its historic first experiments.

CERN / Large Hadron Collider·2008·2 min read

Background

CERN is the European Organisation for Nuclear Research, home to the Large Hadron Collider. In 2008, as the LHC was preparing for its first particle collision experiments, a frustrated systems administrator planted a logic bomb in CERN's computing infrastructure.

The Attack

The sysadmin, reportedly dissatisfied with his employment situation, wrote malware designed to activate after he had left CERN's employment. The code, when triggered, would have progressively destabilised computing systems running grid computing jobs for the LHC experiments. CERN's security team discovered the malicious code during a routine audit. The code was analysed and determined to pose a significant threat to computing operations, though not to the physical accelerator or safety systems.

Response

CERN's security team identified and removed the logic bomb. The engineer was dismissed. The incident was handled largely internally at CERN and reported to law enforcement. Specific details were not widely published, but CERN confirmed the incident to press after it became known.

Outcome

The incident highlighted that disgruntled sysadmins with intimate knowledge of critical infrastructure systems can plant subtle, time-delayed malware. The timing — just as CERN was preparing for historically significant experiments — suggests the motivation may have been reputational damage as much as operational harm.

Key Takeaways

  1. Logic bombs planted by disgruntled administrators can be detected through code auditing and system integrity monitoring
  2. Privileged access must be revoked immediately upon any indication of disgruntlement or planned departure
  3. System integrity monitoring on production infrastructure should detect unauthorised code changes even by authorised administrators
  4. Scientific and research computing infrastructure with significant public visibility are targets for reputation damage attacks
logic bombdisgruntled employeesysadminCERNdelayed activation

More in Insider Threats

2013critical

Edward Snowden and the NSA: The Insider Who Changed the World

2 min readInsider Threats
2010critical

Chelsea Manning: 750,000 Military Documents and Diplomatic Cables Released to WikiLeaks

2 min readInsider Threats
2018high

Tesla IP Theft: Engineer Emails 26,000 Confidential Files Before Joining Competitor

2 min readInsider Threats