The news was contained in an Inspector General report that Nextgov obtained through an open records request.
One of the breaches took place after phishing emails were sent to about 215 NRC employees in what the report described as "a logon-credential harvesting attempt." A dozen NRC employees clicked on a link in the email, which took them to a Google spreadsheet.
NRC spokesman David McIntyre said it's not known what the employees actually entered in the spreadsheet. "Based on the mere fact of clicking on the link, NRC cleaned their systems and changed their user profiles," he told Nextgov.
The Inspector General's cybercrime unit tracked the person who set up the Google spreadsheet to "a foreign country," the report states.
In a separate but similar breach, targeted spear phishing emails were sent to NRC employees. A link in the emails redirected victims to a "Microsoft SkyDrive storage site," which delivered malware.
In that case, the report states, "There was one incident of compromise and the investigation tracked the sender to a foreign country."
In the third case, hackers accessed one NRC employee's personal email account and used it to send malware to 16 other NRC employees. Investigators subpoenaed the initial victim's ISP, but the ISP's logs had been destroyed and the investigators were unable to identify the attacker.
Among the data that the attackers may have accessed are databases listing the location and condition of nuclear reactors, and information about the inventories of plants that handle weapons-grade materials.
Armond Caglar, senior threat specialist at TSC Advantage, noted by email that the campaign appeared to be focused on two key areas: (1) gathering information on U.S. nuclear reactors' condition and health, and (2) assessing the cyber-readiness of the NRC workforce.
"Because of this, common sense would suggest probable state sponsorship, likely a China or Russia, who would have obvious intelligence requirements on information such as this, and also because of the tradecraft used here," Caglar said.
And while NRC employees do receive training on cyber threats, Caglar noted that the training clearly isn't effective. "This could be because of inherent limitations in design, perhaps because the training is conducted too infrequently, or because the curriculum is legacy-based and does not evolve (or keep up with) the latest real-world threats and methodologies," he said.
A recent eSecurity Planet article examined several ways to fight social engineering attacks, including implementing specific policies, providing effective training, and offering a safe, repercussion-free way for employees to report lapses.
Photo courtesy of Shutterstock.