Computers at the US Nuclear Regulatory Commission (NRC) have been hacked three times in the last three years, according to documents obtained under an open-records request.
Two of the attacks are believed to have originated in foreign countries, while the source of the third remains unknown because incident logs have been destroyed.
The first attack used a regular phishing email to trick staff into handing over their login credentials. The message asked them to verify their user accounts by clicking on a link which took them to a cloud-based Google spreadsheet they had to log in to view.
The ruse targeted around 215 staff, of which 12 fell for the bait, according to the report obtained by Nextgov.
A second attack was more targeted and saw the attackers use spear phishing to take victims to an embedded URL that hosted malware in a Microsoft SkyDrive account.
The report does not say when the attacks occurred, nor does it divulge what, if any, data was compromised. Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations, suspects a foreign nation, telling Nextgov:
Clearly, the spearphishing is a technique that we've seen the Chinese and the Russians use before. Using the general logic, a nation state is going to be more interested in the NRC than you would imagine common criminals would be.
Scott Burnell, an NRC moderator, attempted to alleviate any worries of public safety on a thread on the NRC blog:
The NRC's computers cannot affect U.S. nuclear power plant operations – the plants' safety and control systems are physically isolated and have no Internet connectivity. The NRC also requires U.S. reactors to meet stringent cybersecurity requirements for other plant systems.
NRC spokesman David McIntyre said that the NRC “detects and thwarts” the majority of attacks, but admitted that some had succeeded:
The few attempts documented in the OIG cyber crimes unit report as gaining some access to NRC networks were detected and appropriate measures were taken.
Although this wasn’t a direct attack against critical infrastructure it is still a serious concern. At the very least we can assume that information that was supposed to be under wraps was compromised. Even if private information isn’t immediately valuable it can be used to make subsequent spear phishing or social engineering attacks more plausible.
Most worrying of all though is that phishing – a technique that’s as old as the hills in computing terms – is still productive against organisations that should be prepared for it.
Phishing attempts against organisations and individuals aren’t likely to go away any time soon, so staff need to be trained how to recognise attacks and organisations need to have a system in place for people to report attacks if they discover they’ve been duped.
Email is not a secure system and it’s easy to send emails that claim to be from somebody or somewhere they aren’t. For that reason you should treat all emails with suspicion and be highly circumspect about links and attachments.
Organisations should adopt a policy of never sending links to login pages in their emails – either internally or externally. If that’s your stated policy then people know that any email that appears to be from you but contains a login link is a phish.
For more information about phishing see if you can tell the difference between a legitimate email and a phish, read about how to spot a Man-in-the-Middle attack, how crooks can use legitimate websites for phishing and learn how to report a computer crime.