Exclusive: Nuke Regulator Hacked by Suspected Foreign Powers

The Three Mile Island nuclear power generating station.

The Three Mile Island nuclear power generating station. Bradley C Bower/AP File Photo

Credential-stealing emails and social engineering involved in three NRC computer breaches.

Nuclear Regulatory Commission computers within the past three years were successfully hacked by foreigners twice and also by an unidentifiable individual, according to an internal investigation.

One incident involved emails sent to about 215 NRC employees in "a logon-credential harvesting attempt," according to an inspector general report Nextgov obtained through an open-records request.

The phishing emails baited personnel by asking them to verify their user accounts by clicking a link and logging in. The link really took victims to "a cloud-based Google spreadsheet."

A dozen NRC personnel took the bait and clicked the link. The IG Cyber Crime Unit was able to "track the person who set up the spreadsheet to a foreign country," the report states, without identifying the nation.

It is unknown what the NRC employees actually put on the spreadsheet, said commission spokesman David McIntyre. "Based on the mere fact of clicking on the link, NRC cleaned their systems and changed their user profiles," he said. 

As the overseer of the U.S. nuclear power industry, NRC maintains records of value to overseas aggressors, including databases detailing the location and condition of nuclear reactors. Plants that handle weapons-grade materials submit information about their inventories to one such system, according to a 2000 IG report on efforts to protect critical infrastructure systems.  

According to the new report, hackers also attacked commission employees with targeted spearphishing emails that linked to malicious software. A URL embedded in the emails connected to "a cloud-based Microsoft Skydrive storage site," which housed the malware, investigators wrote. "There was one incident of compromise and the investigation tracked the sender to a foreign country." Again, the country is not named. 

In another case, intruders broke into the personal email account of an NRC employee and sent malware to 16 other personnel in the employee's contact list. A PDF attachment in the email contained a JavaScript security vulnerability. One of the employees who received the message became infected by opening the attachment, McIntyre said. 

To trace the origins of the attack, investigators subpoenaed an Internet service provider for records regarding the day the initial victim's email account was hacked.

"But the ISP had no log records for that date that were relevant to this incident, since the logs had been destroyed," McIntyre said. It was not possible identify the offender without the logs, the IG assessment states. 

The inspector general in 2010 initiated the report to document possible NRC computer breaches. IG staff tallied 17 compromises or attempted compromises before closing the investigation in November 2013. A similar probe is planned for this year.

McIntyre said the commission is always concerned about the potential for intrusions into its computer networks. Every NRC employee is required to complete annual cyber training that deals with phishing, spearphishing and other attempts to obtain illicit entry into agency networks.

"The NRC’s computer security office detects and thwarts the vast majority of such attempts, through a strong firewall and reporting by NRC employees," he said. "The few attempts documented in the OIG cyber crimes unit report as gaining some access to NRC networks were detected and appropriate measures were taken."

Not Your Common ID Theft

Experts who reviewed the report could not point to a specific attacker, but presumed a foreign government was responsible.

"An organization like the NRC would be a target for nation states seeking information on vulnerabilities in critical infrastructure," said Richard Bejtlich, chief security strategist for cybersecurity company FireEye. A variety of countries, for instance, would be interested in the results of the commission's safety audits, which typically are kept private, he said. 

"Clearly, the spearphishing is a technique that we've seen the Chinese and the Russians use before," said Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations. "Using the general logic, a nation state is going to be more interested in the NRC than you would imagine common criminals would be."

Shawn Henry, a former top FBI cyber official, said another possibility is that the intruders could have been "foreign, but not necessarily tied to a nation state." An overseas individual could be using, perhaps, malware bought off the online black market that is "not specifically targeting NRC, but rather any computer that might inadvertently deploy the malware," said Henry, now president of cyber investigation firm CrowdStrike.

Federal systems are constantly probed by hackers, but those intrusions are not always successful.

Between fiscal years 2010 and 2013, agencies self-reported a more than 35 percent increase in cyber "incidents" or computer security violations -- reaching 46,160 events last year.

Agencies are not required to publicly disclose actual breaches, unless there is evidence personal information has been exposed. 

Notable breaches that have come to light in recent years include an assault on an Energy Department personnel database last summer, where intruders retrieved the names, dates of birth and Social Security numbers of 104,179 individuals. Hackers in 2011 entered a computer containing the SSNs of 123,000 federal employee retirement plan participants. In March, attackers believed to be from China accessed an Office of Personnel Management database containing files on staff who had applied for top secret security clearances. Federal officials say there is no proof yet personal data was taken. 

Just this month came word that Department of Homeland Security employee data likely was compromised when a suspected nation state penetrated a USIS corporate network. USIS conducts personnel investigations on behalf of many agencies.