Workers at U.S. nuclear regulator fooled by phishers

Nuclear Regulatory Commission employees were tricked into disclosing passwords and downloading malware in three phishing attacks that occurred over a three-year period.

The incidents were described in an inspector general report obtained by the publication Nextgov through an open-records request.

In one incident, the attackers sent email to 215 NRC employees, asking them to verify their accounts by clicking on a link and logging in with their user name and password.

A dozen employees clicked on the link, which actually connected to a spreadsheet on Google Docs. After the incident was reported, the NRC cleaned the workers' systems and changed their credentials, a commission spokesman told Nextgov.

In another incident, attackers tricked an employee into clicking on an email link that downloaded malware from Skydrive, Microsoft's file hosting service that is now called OneDrive. The employee was one of a number of workers who received email in the spearphishing attack, the report said.

Both of the attacks originated from foreign countries that were not identified.

In the third incident, the attacker hacked an employee's email account and used the contact list to send email carrying a malicious attachment to 16 other employees, according to Nextgov. One employee opened the attachment, which infected the NRC computer.

Whether the attack was from a foreign country was not known.

The inspector general report listed 17 compromises or attempted compromises that occurred from 2010 to November 2013, Nextgov said.

During the 2013 fiscal year, U.S. government agencies reported 46,160 "cyber-incidents" in which computers were compromised, according to a report by the Government Accountability Office. The number represented a 33 percent increase from fiscal 2012.

The NRC's job is to ensure that the nation's nuclear power industry is following federal safety regulations.

Because the NRC collects large amounts of information from nuclear facilities, the attackers were likely after that data to learn more about plant operations, Andrew Gintner, vice president of industrial security at Waterfall Security Solutions, said.

"It's clear that they're doing information gathering," Gintner said. "The question is why would you bother gathering this kind of information?"

Terrorists could use the information to plan an attack, while many nation states would likely be building a knowledgebase on U.S. nuclear facilities, Gintner said. Such a database would give them options, if a conflict occurred.

"This is a serious kind of incident, not because 'help, help, they're attacking a reactor,' but because somebody is doing information gathering, and you generally don't gather this information for benign purposes," Gintner said.

The attacks described by the inspector general were successful despite the annual training NRC employees receive every year to help spot phishing attempts.

"We can inoculate ourselves to be secure 90 percent of the time, but to be 100 percent secure is really darn near impossible," Adam Bosnian, executive vice president of the Americas at security company CyberArk, said.