NRC says it conducts regular security training sessions, but its employees are still tempted by phishing emails
The US Nuclear Regulatory Commission (NRC) was successfully hacked three times in the past three years, according to documents seen by Nextgov.com.
Two of the attacks are believed to have been carried out by foreign hackers, and another one by an unidentified individual. All three used phishing emails to compromise employee computers.
Attacks against critical national infrastructure are an increasingly important topic, with security experts warning that the number of such incidents will keep growing.
About that plutonium
Details of the attacks were found in a report by NRC’s office of the Inspector General, obtained through a Freedom of Information request. In total, there were 17 suspected braches at NRC from 20010 to 2013. Three of them were successful, at least in getting into the agency’s network.
There are no details on what kind of information, if any, was stolen, but NRC typically deals with reactor safety and security, licensing of radioactive materials, radionuclide safety and spent fuel management. According to a report quoted by Nextgov, some of the agency’s work involves monitoring the stockpile of weapons-grade plutonium and enriched uranium.
In one of the cases, phishing emails were sent to around 215 NRC employees and 12 were infected after clicking a link and logging into a fake website.
In another, attackers compromised a single work PC, and then used it to send further emails with a malware-ridded attachment across the organisation. According to the report, only one staff member was successfully tempted into opening the infected PDF document.
The commission spokesman David McIntyre told Nextgov that every NRC employee is required to complete annual cyber training that deals with phishing and other attempts to obtain illicit entry into agency networks.
Security researchers from FireEye suggest that the breaches could be the work of a state-sponsored hacker group, since average cyber criminals would have little interest in nuclear watchdog’s data.
The energy sector is thought to present a particularly critical target to a certain kind of attacker, since disrupting its digital systems would have a direct impact on the physical world.
In May, the US Department of Homeland Security warned organisations running Industrial Control Systems (ICS) that an unnamed utility service was compromised, although its operations were not affected. Last year, “sophisticated” malware kept a US power plant out of commission for three weeks.
In February, business secretary Vince Cable met with the representatives of the UK’s financial, water, energy, communications and transport sectors to highlight the need to protect critical national infrastructure against Internet-based attacks.
What do you know about famous hackers? Take our quiz!