recommended reading

Exclusive: Nuke Regulator Hacked by Suspected Foreign Powers

The Three Mile Island nuclear power generating station.

The Three Mile Island nuclear power generating station. // Bradley C Bower/AP File Photo

Nuclear Regulatory Commission computers within the past three years were successfully hacked by foreigners twice and also by an unidentifiable individual, according to an internal investigation.

One incident involved emails sent to about 215 NRC employees in "a logon-credential harvesting attempt," according to an inspector general report Nextgov obtained through an open-records request.

The phishing emails baited personnel by asking them to verify their user accounts by clicking a link and logging in. The link really took victims to "a cloud-based Google spreadsheet."

A dozen NRC personnel took the bait and clicked the link. The IG Cyber Crime Unit was able to "track the person who set up the spreadsheet to a foreign country," the report states, without identifying the nation.

It is unknown what the NRC employees actually put on the spreadsheet, said commission spokesman David McIntyre. "Based on the mere fact of clicking on the link, NRC cleaned their systems and changed their user profiles," he said. 

As the overseer of the U.S. nuclear power industry, NRC maintains records of value to overseas aggressors, including databases detailing the location and condition of nuclear reactors. Plants that handle weapons-grade materials submit information about their inventories to one such system, according to a 2000 IG report on efforts to protect critical infrastructure systems.  

According to the new report, hackers also attacked commission employees with targeted spearphishing emails that linked to malicious software. A URL embedded in the emails connected to "a cloud-based Microsoft Skydrive storage site," which housed the malware, investigators wrote. "There was one incident of compromise and the investigation tracked the sender to a foreign country." Again, the country is not named. 

In another case, intruders broke into the personal email account of an NRC employee and sent malware to 16 other personnel in the employee's contact list. A PDF attachment in the email contained a JavaScript security vulnerability. One of the employees who received the message became infected by opening the attachment, McIntyre said. 

To trace the origins of the attack, investigators subpoenaed an Internet service provider for records regarding the day the initial victim's email account was hacked.

"But the ISP had no log records for that date that were relevant to this incident, since the logs had been destroyed," McIntyre said. It was not possible identify the offender without the logs, the IG assessment states. 

The inspector general in 2010 initiated the report to document possible NRC computer breaches. IG staff tallied 17 compromises or attempted compromises before closing the investigation in November 2013. A similar probe is planned for this year.

McIntyre said the commission is always concerned about the potential for intrusions into its computer networks. Every NRC employee is required to complete annual cyber training that deals with phishing, spearphishing and other attempts to obtain illicit entry into agency networks.

"The NRC’s computer security office detects and thwarts the vast majority of such attempts, through a strong firewall and reporting by NRC employees," he said. "The few attempts documented in the OIG cyber crimes unit report as gaining some access to NRC networks were detected and appropriate measures were taken."

Not Your Common ID Theft

Experts who reviewed the report could not point to a specific attacker, but presumed a foreign government was responsible.

"An organization like the NRC would be a target for nation states seeking information on vulnerabilities in critical infrastructure," said Richard Bejtlich, chief security strategist for cybersecurity company FireEye. A variety of countries, for instance, would be interested in the results of the commission's safety audits, which typically are kept private, he said. 

"Clearly, the spearphishing is a technique that we've seen the Chinese and the Russians use before," said Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations. "Using the general logic, a nation state is going to be more interested in the NRC than you would imagine common criminals would be."

Shawn Henry, a former top FBI cyber official, said another possibility is that the intruders could have been "foreign, but not necessarily tied to a nation state." An overseas individual could be using, perhaps, malware bought off the online black market that is "not specifically targeting NRC, but rather any computer that might inadvertently deploy the malware," said Henry, now president of cyber investigation firm CrowdStrike.

Federal systems are constantly probed by hackers, but those intrusions are not always successful.

Between fiscal years 2010 and 2013, agencies self-reported a more than 35 percent increase in cyber "incidents" or computer security violations -- reaching 46,160 events last year.

Agencies are not required to publicly disclose actual breaches, unless there is evidence personal information has been exposed. 

Notable breaches that have come to light in recent years include an assault on an Energy Department personnel database last summer, where intruders retrieved the names, dates of birth and Social Security numbers of 104,179 individuals. Hackers in 2011 entered a computer containing the SSNs of 123,000 federal employee retirement plan participants. In March, attackers believed to be from China accessed an Office of Personnel Management database containing files on staff who had applied for top secret security clearances. Federal officials say there is no proof yet personal data was taken. 

Just this month came word that Department of Homeland Security employee data likely was compromised when a suspected nation state penetrated a USIS corporate network. USIS conducts personnel investigations on behalf of many agencies.

Threatwatch Alert

Software vulnerability

Malware Has a New Hiding Place: Subtitles

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.