No details on exfiltrated data or the threat actors

Aug 19, 2014 14:47 GMT  ·  By

Foreign intruders managed to find their way on the systems of the US Nuclear Regulatory Commission (NRC) on three accounts in three years, targeting personnel through phishing techniques.

US NRC is in charge with overseeing commercial nuclear power plants along with uses of nuclear materials. It maintains information regarding location and condition of nuclear reactors and centralizes details about weapons-grade material from plants across the country; its purpose is to ensure the security of US critical infrastructures.

In all three cases, the perpetrators have been traced to have operated from overseas, although no identification of the foreign country was possible.

According to an Inspector General report obtained by NextGov under freedom of information requests, in one of the incidents the hackers sent phishing emails to 215 NRC employees, in a “a logon-credential harvesting attempt.”

The perpetrators lured the staff with a message asking them to check the log-in credentials by signing into their accounts. The link, however, led to a “cloud-based Google spreadsheet” that captured all the information entered by the employees.

It appears that about a dozen of the employees targeted fell for the trick and provided information to the hacker.

In a second attack, the NRC staff was targeted with emails leading to malware, also hosted in the cloud (SkyDrive). Threat actors, again tracked to an unknown country, managed to make only one victim.

The third intrusion was carried out by compromising the personal email account of an employee and used it to deliver malware to other 16 members of the NRC staff. The attack relied on a malicious PDF file delivering a Java vulnerability.

Despite efforts to trace the operator of the campaign, no success was recorded because the ISP that could have provided information about the origin of the attack no longer had the necessary log records.

It is believed that the incidents are the work of a foreign government, although there is no evidence to support this theory.

However, the fact that the attacks were targeted and directed at an entity responsible for the security of the US critical infrastructure does make the theory highly plausible.

There are no details about the information the hackers were after or if they managed to exfiltrate any details. The NRC is not connected to the systems in the nuclear plants, which are air-gapped for security reasons.

After each incident, the appropriate security measures were taken, with systems being swept for infections and cleaned. The report covers the timeline comprised between 2010 and November 2013.