NRC Hacked: Report

Wednesday, August 20, 2014 @ 03:08 PM gHale

Over the past three years, computers at the Nuclear Regulatory Commission (NRC) ended up hacked twice by intruders believed to be foreigners and once by an unidentifiable individual, according to an Inspector General (IG) investigation.

One incident involved emails sent to 215 NRC employees in “a logon-credential harvesting attempt,” according to an inspector general report published on Nextgov.

Contractor Hacked, Satellite Data Breached
Accused Hacker Busted in France
London Teen Charged in DDoS Attacks
UT Woman Facing Embezzlement Charges

The phishing emails baited personnel by asking them to verify their user accounts by clicking a link and logging in. The link really took victims to “a cloud-based Google spreadsheet.”

A dozen NRC personnel took the bait and clicked the link. The IG Cyber Crime Unit was able to “track the person who set up the spreadsheet to a foreign country,” the report said, without identifying the nation.

It is unknown what the NRC employees actually put on the spreadsheet, said commission spokesman David McIntyre. “Based on the mere fact of clicking on the link, NRC cleaned their systems and changed their user profiles,” he said.

NRC maintains records of value to overseas aggressors, including databases detailing the location and condition of nuclear reactors. Plants that handle weapons-grade materials submit information about their inventories to one such system, according to a 2000 IG report on efforts to protect critical infrastructure systems.

In short, the NRC is the overseer of the U.S. nuclear power industry

The new report found hackers also attacked commission employees with targeted spearphishing emails that linked to malicious software. A URL embedded in the emails connected to “a cloud-based Microsoft Skydrive storage site,” which housed the malware, investigators wrote. “There was one incident of compromise and the investigation tracked the sender to a foreign country.” Again, the IG report did not name the country.

In the third incident, bad guys broke into the personal email account of an NRC employee and sent malware to 16 other personnel in the employee’s contact list. A PDF attachment in the email contained a JavaScript security vulnerability. One of the employees who received the message ended up infected by opening the attachment, McIntyre said.

In an attempt to trace the attack, investigators subpoenaed an Internet service provider for records.

“But the ISP had no log records for that date that were relevant to this incident, since the logs had been destroyed,” McIntyre said. It was not possible identify the offender without the logs, the IG said.

The inspector general in 2010 initiated the report to document possible NRC computer breaches. IG staff tallied 17 compromises or attempted compromises before closing the investigation in November 2013. A similar probe should start up this year.

McIntyre said the commission is always concerned about the potential for intrusions into its computer networks. Every NRC employee must complete annual cyber training that deals with phishing, spearphishing and other attempts to obtain illicit entry into agency networks.

Leave a Reply

You must be logged in to post a comment.