Hackers hit the U.S. Nuclear Regulatory Commission (NRC) three separate times during the past three years, duping employees of the agency into spreading malware and clicking through phishing links intended to harvest log-in credentials.
A NextGov report on Monday said hackers in an unnamed foreign country are responsible for the phishing attempt, yet it’s unclear exactly what the attackers were hoping to glean by it.
NextGov’s source, an Office of the Inspector General report obtained via an open-records request, didn’t state what employees may have divulged in the attack but that 215 employees were targeted and a dozen took the bait when they clicked through to a Google Docs spreadsheet.
When the employees were phished they were being asked to verify their user accounts, suggesting a combination of usernames or passwords may have been sniffed.
The NRC said it was quick to act however.
“Based on the mere fact of clicking on the link, NRC cleaned their systems and changed their user profiles,” David McIntyre, a public affairs officer with the NRC told NextGov regarding the attack this week.
A subsequent attack where hackers, also from a foreign country, sent specific employees at the NRC spear-phishing emails that led to malware, also hit the agency. A URL embedded in the emails linked back to a Microsoft cloud-based OneDrive (previously Skydrive) storage site that hosted malware, according to NextGov.
It was not revealed if a single country, collection of countries, or a nation state is behind the attacks.
In the third attack, hackers were able to penetrate the personal email account of an employee at the agency and propagate malware – a PDF attachment that contained a JavaScript security vulnerability – to 16 other people in the users’ contact list. The malware ultimately infected one person.
While the NRC was able to link the first two attacks to foreign countries, the identity of the last hacker couldn’t be determined, McIntyre said, because the ISP’s logs had been destroyed.
While there’s no specific timeline for any of the three attacks, NextGov claims the inspector general started the report in 2010, found 17 compromises or attempted compromises, and concluded the report in November 2013.
McIntyre said the NRC’s computer security office usually “detects and thwarts the vast majority” of hacking attempts and that the attempts highlighted in the OIG report were met with the appropriate measures.
The NRC is in charge of maintaining detailed information about nuclear reactors, waste storage facilities and uranium processing plants across the nation. Information about each reactor’s security, along with how spent radioactive activity is stored, recycled and disposed of is also stored on NRC systems, not to mention databases upon databases of other information that might prove interesting to attackers looking to execute further attacks on critical infrastructure.
An investigatory report released by Sen. Tom Coburn, M.D. (R-Okla.) earlier this year revealed that in the past the NRC has stored sensitive details about nuclear plants on an unprotected shared drive and that the agency’s IT division suffers from a “general lack of confidence.”
In the paper, Coburn also described the NRC’s failure to report security breaches, inability to keep track of computers and other examples of what he called “general sloppiness.”
While the Regulatory Commission usually posts any reports it receives from the Inspector General’s Office on its site, this particular report stems from a Freedom of Information Act (FOIA) request.
The last report pertaining to cyber security on the NRC’s site was back in May, when the OIG reviewed the agency’s plans (.PDF) for securing nuclear power plants in the event of a cyberattack.
At the time the OIG found the NRC’s plans adequate and had no reason to make any recommendations to the agency.