An internal report at the Nuclear Regulatory Commission (NRC) has revealed that the agency had been hacked three times in the last three years by unspecified foreigners and a third unknown person or group, but what was stolen remains unknown, the Government Executive reports.
One incident involved emails sent to about 215 NRC employees in “a logon-credential harvesting attempt,” according to an Inspector General report Nextgov obtained through an open-records request.
However, it is still unclear whether the foreigners have any ties to a specific government, with former FBI cyber official Shawn Henry arguing that the attack may even be incidental and not related to the NRC at all, since automated malware might “not specifically [targeted] NRC, but rather any computer that might inadvertently deploy the malware.”. He also said that the intruders could have been “foreign, but not necessarily tied to a nation state.” An overseas individual could be using, perhaps, malware bought off the online black market.
The phishing emails asked personnel to verify their user accounts by clicking a link and logging in. The link really did was to take the victims to “a cloud-based Google spreadsheet.”
A dozen NRC personnel took the bait and clicked the link. The IG Cyber Crime Unit was able to “track the person who set up the spreadsheet to a foreign country,” the report states, without identifying the nation.
It is unknown what the NRC employees actually put on the spreadsheet, said commission spokesman David McIntyre. “Based on the mere fact of clicking on the link, NRC cleaned their systems and changed their user profiles,” he said.
As the overseer of the U.S. nuclear power industry, NRC maintains records of value to overseas aggressors, including databases detailing the location and condition of nuclear reactors. Plants that handle weapons-grade materials submit information about their inventories to one such system, according to a 2000 IG report on efforts to protect critical infrastructure systems.
So it is pretty clear that this kind of hacks in such big organizations are making U.S National Security a child-toy.
According to the new report, hackers also attacked commission employees with targeted spear phishing emails that linked to malicious software. A URL embedded in the emails connected to “a cloud-based Microsoft Skydrive storage site,” which stored the malware, investigators wrote. “There was one incident of compromise and the investigation tracked the sender to a foreign country.” Again, the country is not named in the report.
To trace the origins of the attack, investigators subpoenaed an Internet service provider for records regarding the day the initial victim’s email account was hacked.
“But the ISP had no log records for that date that were relevant to this incident, since the logs had been destroyed,” McIntyre said. It was not possible identify the offender without the logs, the IG assessment states.It might be that the hackers used some paid VPNs which offer its customers log delete policy for better anonymity.
The inspector general in 2010 initiated the report to document possible NRC computer breaches. IG staff tallied 17 compromises or attempted compromises before closing the investigation in November 2013. That is probably gonna happen this year too.
McIntyre said that the commission always take their computer networks security seriously. To prevent this kind of attack every NRC employee is required to complete annual cyber training that deals with phishing, spear-phishing and other attempts to obtain illicit entry into agency networks.
“The NRC’s computer security office detects and thwarts the vast majority of such attempts, through a strong firewall and reporting by NRC employees,” he said. “The few attempts documented in the OIG cyber crimes unit report as gaining some access to NRC networks were detected and appropriate measures were taken.“
The investigators have suspected the Foreign Governments for this hack.
“An organization like the NRC would be a target for nation states seeking information on vulnerabilities in critical infrastructure,” said Richard Bejtlich, chief security strategist for cybersecurity company FireEye. A variety of countries, for instance, would be interested in the results of the commission’s safety audits, which typically are kept private, he said.
“Clearly, the spearphishing is a technique that we’ve seen the Chinese and the Russians use before,” said Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations. “Using the general logic, a nation state is going to be more interested in the NRC than you would imagine common criminals would be.“
Federal systems are constantly probed by hackers, but those intrusions are not always successful.