US Nuclear Agency hacked 3 times, Government confirms

US : The United States Nuclear Regulatory Commission, regulator of the nation's use of nuclear materials and commercial power plants, was compromised three times in as many years, according to a report from Nextgov. Two of the hacks are said to have resulted from someone(s) abroad, while the third responsible party has not yet been identified.

Experts say that foreign powers could use the NRC's sensitive information for surveillance or even sabotage, although the Commission says that the handful of attacks were detected and dealt with.

One of the incidents saw the attacker mount a sophisticated phishing email campaign that targeted roughly 215 NRC employees, designed to steal their account login credentials. More than 12 NRC employees are listed as "taking the bait".

A second attack was more targeted and saw the attackers use spear phishing to take victims to an embedded URL that hosted malware in a Microsoft SkyDrive account.

The third attack targeted an NRC employee's personal email account, leading to malware-ridden emails being sent to 16 co-workers in their contact list, one of whom became infected via a PDF attachment containing a JavaScript security vulnerability.

Speculation in press reports indicated that a foreign government or nation state might be behind the attack.

“An organization like the NRC would be a target for nation states seeking information on vulnerabilities in critical infrastructure,” Richard Bejtlich, chief security strategist for cybersecurity company FireEye Inc, was quoted as saying.

“Clearly, the spearphishing is a technique that we’ve seen the Chinese and the Russians use before,” Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations, said in the report. “Using the general logic, a nation state is going to be more interested in the NRC than you would imagine common criminals would be.”

Attacks like these are not to be taken lightly, since a 2000 report shows that the NRC holds information which would be very valuable to foreign governments — detailed information on nuclear reactors and data regarding which plants have weapons-grade materials. Currently, however, there is no mandate for agencies to disclose breaches unless personal data has been uncovered.