The US Nuclear Regulatory Commission has revealed that between 2010 and 2013 it has been hacked three times successfully, with 17 attempts in total.
Oddly, while the story is given prominent play on the UK Huffington Post, a search of the American version of the Huffpo turns up nothing on the story, offering instead updates on the Crimean and North Korean situations. The story was broken by NextGov.
The hacks themselves reportedly used the same low-level, yet high-success rate, tactic as the Syrian Electronic Army used to gain control of major media Twitter accounts including the Huffington Post: spearphishing.
Spearphishing is a variant of phishing, an attack with which anyone with an email account should be familiar. You get an email purporting to be from your bank, from Paypal, from Apple (an SEA favorite), or anywhere else you’re likely to have an account. It appears legit, requests that you re-enter your username and password to “update” their records, you fall for it, and BAM! Hackers have your account.
Spearphishing is a more finely-targeted variant of that; instead of sending the emails out to a wide swathe of the public, the hackers target a particular organization, sending the phishing emails to only people who work in the company.
Because people are people, the emails are extremely convincing, and they are precisely targeted, spearphishing enjoys a very high success rate; all you need is one victim with the proper access in her account to fall for it and you’re inside. Interestingly, phishing emails are actually opened, read, and acted upon more than legitimate organizational emails, a testament to the power of highly motivated marketers everywhere.
The hackers sent 215 emails according to documents obtained by NextGov. Instead of sending them to a proper, secure log in page, the link sent the hapless victims to a Google spreadsheet where they entered their credentials. Twelve people reportedly fell for the scam, a success rate for the hackers of almost 18%. This breach gave hackers access to internal documents of the NRC. The attack has been attributed to unspecified hackers in an unspecified foreign nation.
NextGov spoke to several cybersecurity experts about the attacks, getting a pretty uniform response:
“An organization like the NRC would be a target for nation states seeking information on vulnerabilities in critical infrastructure,” said Richard Bejtlich, chief security strategist for cybersecurity company FireEye. A variety of countries, for instance, would be interested in the results of the commission’s safety audits, which typically are kept private, he said.
“Clearly, the spearphishing is a technique that we’ve seen the Chinese and the Russians use before,” said Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations. “Using the general logic, a nation state is going to be more interested in the NRC than you would imagine common criminals would be.”
Shawn Henry, a former top FBI cyber official, said another possibility is that the intruders could have been “foreign, but not necessarily tied to a nation state.” An overseas individual could be using, perhaps, malware bought off the online black market that is “not specifically targeting NRC, but rather any computer that might inadvertently deploy the malware,” said Henry, now president of cyber investigation firm CrowdStrike.
We should point out that the actual software controlling nuclear reactors was not part of the breach. So, sadly for government watchdogs everywhere, nobody at NextGov is selling any gloriously lucrative movie rights today.
Featured Image Cooling Towers by Paul on Flickr