US nuclear regulator the Nuclear Regulatory Commission has been hit by at least three major cyber attacks over the past three years designed to steal user log-in credentials and infect machines, according to a new report.
An Inspector General report obtained by Nextgov and covering the period 2010 to November 2013 shows that likely foreign operatives, potentially state-sponsored, launched 17 compromise attempts.
One such apparently involved phishing emails sent to 215 employees urging them to verify log-in account details by clicking on a link.
The IG’s Cyber Crime Unit is said to have tracked the attacker down to an unnamed “foreign country”.
Although 12 employees fell for the scam, the NRC “cleaned their systems and changed their user profiles”, according to spokesman David McIntyre.
Another attack involved spearphishing emails containing a malicious link to a Microsoft Skydrive site loaded with malware.
That attack is said to have resulted in one compromise and was also traced back to a foreign nation.
Finally, the report details a case where attackers managed to infiltrate the email account of an NRC employee and sent malicious attachments in messages to the victim’s colleagues.
McIntyre played down the incidents.
“The NRC’s computer security office detects and thwarts the vast majority of such attempts, through a strong firewall and reporting by NRC employees," he told Nextgov.
"The few attempts documented in the OIG cyber crimes unit report as gaining some access to NRC networks were detected and appropriate measures were taken."
However, the incidents do highlight the continued risks facing organizations in critical national infrastructure industries.
The NRC apparently holds information on the location and inventories of nuclear plants around the US, as well as which facilities handle weapons-grade materials.
Charles Sweeney, CEO of Bloxx, argued that the case proves CNI firms must have a robust, holistic security policy.
“The examples cited yet again underline the importance of ensuring employees are cyber crime savvy and rather than blindly clicking on links, think ‘hang on a minute, this doesn’t look right’,” he told Infosecurity.
“The techniques being employed are some of the oldest tricks in the book – and people are still falling for them.” Jason Steer, director of technology strategy at FireEye, claimed that energy and utilities companies are among the top eight industries targeted globally.
“Many CNI organizations underestimate the risk from cyber given that they have built what they consider to be a resilient, secure, best of breed layered network over the past 10 years and assume they are secure,” he told Infosecurity by email.
“The reality is that they don't have the right technology that could tell them of a breach.”
Apart from user awareness training and bringing in technology to identify APT activity, he urged security bosses to assume that their organization may already have been hit.
“Establish a cyber risk framework that enables the business with board level sponsorship to drive through changes and capabilities to mitigate the risk from a cyber attack,” Steer added.
“Also establish an incident response/management service in a SOC/CIRT team to be able to detect and react to an APT event in minutes or hours.”