US Nuclear Regulatory Commission hacked three times

Spearphishing and malware used by 'foreign' attackers in presumed attempts to steal nuclear secrets

Computers belonging to the US Nuclear Regulatory Commission (NRC), an independent agency of the US government, have been successfully compromised at least three times in the last three years: twice by overseas attackers and once by an unidentifiable individual, according to the site NextGov.

NextGov obtained the results of an internal investigation by NRC through an open records request. The documents reveal that that in one attempt phishing emails were sent to about 215 NRC employees in an attempt to harvest login details. A link embeded in the email was clicked by a dozen or so recipients, some of whom may have entered their credentials into a web form that was linked to "a cloud-based Google spreadsheet". This, investigators discovered, had been set up by someone in a "foregn country". The country was not identified.

Hackers also used targeted spearphishing emails containing a link to "a cloud-based Microsoft Skydrive storage site" that contained malware. Investigators said that once again this was set up by someone in a foreign country, and that one person had fallen for the attack.

In the third incident the personal email account of an employee was hacked and used to email a PDF document that contained a JavaScript vulnerability to 16 NRC colleagues, the PC of one of whom became infected.

NRC spokesman David McIntyre said that staff undergo rigorous training to guard against the dangers posed by phishing and other methods used by attackers, and said it was unlikely that the attackers had managed to do much damage.

"The NRC's computer security office detects and thwarts the vast majority of such attempts, through a strong firewall and reporting by NRC employees," he said, as reported by NextGov.

"The few attempts documented in the [report] as gaining some access to NRC networks were detected and appropriate measures were taken."

The NRC, according to its website: "formulates policies, develops regulations governing nuclear reactor and nuclear material safety, issues orders to licensees and adjudicates legal matters".

While the identities of the attackers are not known, or at least not reported, information held on the NRC's systems would be of obvious intest to anyone seeking to find out about vulnerabilities in the USA's critical infrastructure, which would include nation states.

US government agencies are not required to disclose breaches, unless there is evidence personal information has been exposed. However, according to their own analyses, there was a 35 per cent increase in attacks on Federal bodies between 2010 and 2013.