America’s Nuclear Regulatory Commission was successfully attacked three times within the past three years, by unknown attackers, some foreign – and largely using standard phishing emails and similar techniques, according to the news site NextGov.
Two of the incidents have been traced to unknown foreign individuals, and another to an unidentifiable attacker, as records have been lost.
CNET reports that one incident led 215 employees of the nuclear agency to “a logon-credential harvesting attempt,” hosted on “a cloud-based Google spreadsheet.” The information was obtained through a specific request by NextGov.
A second spearphishing attack targeted specific employees with emails crafted to dupe them into clicking a link which led to malware on Microsoft’s cloud storage site SkyDrive.
The third attack was a spearphishing attack directed at a specific employee. Once his account credentials were obtained, emails were sent to 15 further employees, with malware-laced PDFs.
“It’s still unclear which country originated the attacks, and whether the attackers were acting independently or as a part of a larger state action. It’s also unclear how far the attackers got,” the Verge reports.
NRC spokesman David McIntyre said that his security team “thwarts” most such attempts.
“The few attempts documented in the OIG (Office of the Inspector General) cyber crimes unit report as gaining some access to NRC networks were detected and appropriate measures were taken,” he said, speaking to CNET.
Slashgear reports, “The reasons for the hacks aren’t known, but are suspected to be an effort to harvest details about the nation’s nuclear infrastructure – another suggestion is that the NRC might not be a specific target, but instead swept up by chance in a more general attack by an individual hacker rather than a foreign nation’s government.”
A recent report on America’s energy agencies said such incidents were increasing 35% between 2010 and 2013.
The report, “INFORMATION SECURITY Agencies Need to Improve CyberIncident Response Practices.” said, “Our sample indicates that agencies demonstrated that they completed their eradication steps for the majority of cyber incidents. Specifically, our analysis shows that for about 77 percent of incidents governmentwide, the agencies had identified and eliminated the remaining elements of the incident. However, agencies did not demonstrate that they had effectively eradicated incidents in about 23 percent of incidents.”
The report made 25 suggestions about how agencies could improve responses, including that agencies should, “revise policies for incident response to include requirements for defining the incident response team’s level of authority, prioritizing the severity ratings of incidents based on impact and establishing measures of performance.”
Author Rob Waugh, We Live Security