3 min read

US nuclear reactor safety regulators hacked three times in three years


August 20, 2014

Promo Protect all your devices, without slowing them down.
Free 30-day trial
US nuclear reactor safety regulators hacked three times in three years

The United States Nuclear Regulatory Commission (NRC) has hacked three separate times in the last three years, with at least two of the attacks believed to have been perpetrated by overseas hackers.

According to NextGov, which obtained information about the attacks after filing an open-records request, NRC employees were duped by an phishing email that asked them to verify their login details by taking them to a “cloud-based Google spreadsheet.”

A dozen of the 215 NRC employees targeted fell for the ruse and clicked on the link. Although it’s not known what information staff may have entered on the webpage, the opportunities for login credentials to have been harvested is obvious.

“Based on the mere fact of clicking on the link, NRC cleaned their systems and changed their user profiles,” said commission spokesman David McIntyre.

In a separate incident, hackers targeted commission employees by sending them emails that linked to malware on a Microsoft Skydrive-hosted webpage. One computer is said to have become compromised as a result of the attack.

In both incidents the attacks were investigated, and traced back to an overseas country – although details of which country has not been made public.

Finally, NextGov’s report reveals that the personal email account of an NRC employee was broken into, and used to send out a malicious PDF file to 16 other workers in the employee’s address book. One recipient’s computer became infected by the malware after opening the attachment.

In that incident, it proved impossible to point a finger in any particular direction as to who might have been responsible, or where in the world they might have been based.

Of course, even if a country was named in these reports it doesn’t necessarily mean that an attack is state-sponsored, or has the support of the intelligence or military services of that nation. It could just as equally be “freelance” hackers working on their own, perhaps with their own motivations.

Furthermore, we shouldn’t forget that it is very easy for criminals to hide their tracks online. So, for instance, it isn’t complicated if you are a hacker based in Uganda to compromise a computer in Uruguay to attack a computer network in the United States.

That said, Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations, told NextGov that he suspected a nation would be behind the attacks:

“Clearly, the spearphishing is a technique that we’ve seen the Chinese and the Russians use before. Using the general logic, a nation state is going to be more interested in the NRC than you would imagine common criminals would be.”

Personally, I find the quote that “spearphishing is a technique that we’ve seen the Chinese and Russians use before” pretty rib-tickling. Umm.. isn’t it also the case that we’ve also seen American, British, French, Israeli, Syrian, (I could go on…) hackers use targeted spearphishing emails before too?

After all, it’s hardly a sophisticated technique…

Before you head to the hills, and stock up on cans of baked beans, there’s some thing that should be underlined.

This was the US Nuclear Regulatory Commission which got hacked. It was not an actual nuclear reactor. Safety and control systems used at US nuclear power plants are physically isolated, and aren’t connected to the internet.

The hackers may have been after sensitive information by hacking into the NRC, but there wasn’t any danger of any reactors themselves failing as a direct result.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like