Dive Brief:
- A U.S. Nuclear Regulatory Commission internal cyber-attacks investigation revealed the agency was hacked three times between 2010 and 2013 via “tainted” emails, with one attack from a source described as “unidentifiable” and the other two originating outside the U.S., according to an NRC Inspector General’s report obtained by Nextgov.
- One attack began when 215 employees got phishing emails requesting they verify their accounts and 12 logged in to what the IG Cyber Crime Unit found was a tainted cloud-based Google spreadsheet set up outside the U.S. The other attack, also set up in a foreign country, targeted an unspecified number of commission employees with spearphishing emails containing a URL linked to malware in a cloud-based Microsoft Skydrive storage site that compromised one NRC employee.
- In the third attack by the “unidentifiable” source, intruders opened a Nuclear Regulatory Commission employee’s personal email and sent emails to 16 employees on that person’s contact list with a JavaScript security vulnerability in a PDF attachment opened by one recipient. When the sender’s internet service provider records were subpoenaed, the log had been destroyed, making it impossible to track further.
Dive Insight:
U.S. energy sector cyber-attacks are rarely disclosed.
The Inspector General’s report on the cyber-attacks indicated they had been “detected” and effectively managed but did not specifically say vital information about the U.S. nuclear sector was not revealed.
In May, the Department of Homeland Security (DHS) reported a hack at an unnamed public utility that compromised its control system network but had no impact on operations.
The DHS Industrial Control Systems Cyber Emergency Response Team responded to 256 cyber incident reports in 2013, more than half in the energy sector and twice the 2012 number, but none caused a major disruption.