US nuclear regulator hacked several times over three years

The US Nuclear Regulatory Commission has been hacked three times in the past three years, a report has revealed

The US Nuclear Regulatory Commission (NRC) has been hacked three times in the past three years, a report has revealed.  

Two of the attacks have been attributed to criminals of foreign descent, while the third attacker has not been identified, according to an inspector general report obtained by Nextgov through a public records request.

The NRC maintains high-value data, including the location and condition of nuclear reactors, and inventories of plants that handle weapons-grade materials.

But US agencies are not required to report data breaches, unless there is evidence that personal information has been exposed.

News of the hacks comes nine months after the US publisheddraft framework of voluntary cyber security standards aimed at reducing risks to companies providing critical national infrastructure.

The US National Institute of Standards and Technology (Nist) drew up the framework with input from 3,000 industry and academic experts in response to an executive order by President Barack Obama.

The executive order called for a framework for assisting organisations responsible for critical infrastructure services to manage cyber security risk.

Like the UK, a large proportion of US organisations responsible for critical national infrastructure, such as electrical power and water supplies, are private sector companies.

According to the NRC report, one of the hacking incidents involved phishing emails aimed at harvesting logon credentials, by asking staff to verify their user accounts by clicking on a link and logging in.

The NRC cleared the computer systems and changed the user profiles of about a dozen staff members who clicked on the link despite an annual cyber security awareness training programme.

NRC staff members were also targeted using spearphishing emails that linked to malware, the report said, while in one case the attackers broke into a staff member’s email account.

The compromised account was used to send emails to other staff members with a malicious attachment that exploited a JavaScript security vulnerability.

The first stage to any targeted attack is information gathering and preparation, according to Andrey Nikishin, special projects director of future technologies at Kaspersky Lab.

“Attackers will scour social media for information on staff who can be targeted through well-crafted email phishing attacks,” he said.

The NRC report reveals that investigators have been unable to identify the source of the attack in which the email account was compromised because all relevant log records had been destroyed.

The report is based on an investigation into potential compromises of NRC computers from 2010 to November 2013.

Investigators identified a total of 17 compromises or attempted compromises. A follow up investigation is reportedly planned at the NRC before the end of 2014.

An NRC spokesman said the agency’s security office detects and thwarts the vast majority of attempted cyber attacks, and that the “few attempts” documented by the report had been detected and “appropriate measures” had been taken.

Read more on critical national infrastructure

Read more on Privacy and data protection