Workers at U.S. nuclear regulator fooled by phishers

Nuclear Regulatory Commission employees were tricked into disclosing passwords and downloading malware in three phishing attacks that occurred over a three-year period.

The incidents were described in an inspector general report obtained by the publication Nextgov through an open-records request.

In one incident, the attackers sent email to 215 NRC employees, asking them to verify their accounts by clicking on a link and logging in with their user name and password.

A dozen employees clicked on the link, which actually connected to a spreadsheet on Google Docs. After the incident was reported, the NRC cleaned the workers' systems and changed their credentials, a commission spokesman told Nextgov.

In another incident, attackers tricked an employee into clicking on an email link that downloaded malware from Skydrive, Microsoft's file hosting service that is now called OneDrive. The employee was one of a number of workers who received email in the spearphishing attack, the report said.

Both of the attacks originated from foreign countries that were not identified.

In the third incident, the attacker hacked an employee's email account and used the contact list to send email carrying a malicious attachment to 16 other employees, according to Nextgov. One employee opened the attachment, which infected the NRC computer.

Whether the attack was from a foreign country was not known.

The inspector general report listed 17 compromises or attempted compromises that occurred from 2010 to November 2013, Nextgov said.

During the 2013 fiscal year, U.S. government agencies reported 46,160 "cyber-incidents" in which computers were compromised, according to a report by the Government Accountability Office. The number represented a 33 percent increase from fiscal 2012.

The NRC's job is to ensure that the nation's nuclear power industry is following federal safety regulations.

Because the NRC collects large amounts of information from nuclear facilities, the attackers were likely after that data to learn more about plant operations, Andrew Gintner, vice president of industrial security at Waterfall Security Solutions, said.

"It's clear that they're doing information gathering," Gintner said. "The question is why would you bother gathering this kind of information?"

Terrorists could use the information to plan an attack, while many nation states would likely be building a knowledgebase on U.S. nuclear facilities, Gintner said. Such a database would give them options, if a conflict occurred.

"This is a serious kind of incident, not because 'help, help, they're attacking a reactor,' but because somebody is doing information gathering, and you generally don't gather this information for benign purposes," Gintner said.

The attacks described by the inspector general were successful despite the annual training NRC employees receive every year to help spot phishing attempts.

"We can inoculate ourselves to be secure 90 percent of the time, but to be 100 percent secure is really darn near impossible," Adam Bosnian, executive vice president of the Americas at security company CyberArk, said.

Join the CSO newsletter!

Error: Please check your email address.

Tags GoogleMicrosoftsecurityphysical securitycritical infrastructurephishing scamphishing attacksNuclear Regulatory Commission

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts