Skip to content ↓ | Skip to navigation ↓

A recent investigation has revealed that the United States Nuclear Regulatory Commission (NRC) has been successfully hacked three times in the last three years.

Documents were obtained by Nextgov through an open-record request, showing two of the incidents involved hackers from a foreign government, while the other perpetrator has not yet been identified.

According to the report, all three attacks used phishing scams to trick personnel into clicking malicious links or unknowingly downloading malware.

One of the attacks targeted more than 200 employees, who received phishing emails instructing them to verify their account and login credentials through a malicious link leading to “a cloud-based Google spreadsheet.” Consequently, about a dozen NRC employees clicked the link.

The IG Cyber Crime Unit reportedly tracked the person setting up the spreadsheet to a foreign country, which was not disclosed in the report.

Another instance lured employees by using targeted spearphishing emails linking to a “Microsoft Skydrive storage site.” A URL housing the malware was embedded in the email that was also tracked to an undisclosed foreign sender.

The last attack was carried out by hacking into an NRC employee’s personal email account and sending malware to 16 other personnel in the employee’s contact list. The email included a PDF attachment containing a JavaScript security vulnerability that infected one employee that opened the attachment.

NRC spokesman David McIntyre responded by stating the commission makes an increased effort to prevent intrusions into its computer networks by requiring training and reporting from employees, as well as implementing a “strong firewall.”

Tripwire security researcher Ken Westin commented, “Even as we see more sophisticated malware being developed, old school methods, such as spearphishing, continue to be a successful attack vector against many organizations, even in highly secure environments where staff should know better.”

“The key to combatting these types of attack is continued education and awareness. Some organizations will also block cloud-based services like Google docs, but the employees may still be targeted at home through their personal email accounts and home internet connections.”

Read More Here…