Cyber Incident Victim: Wolf Creek Nuclear Operating Corporation
Date:
May 2017
Location:
United States of America
Summary
Russian state-sponsored hackers infiltrated business networks of a U.S. nuclear operator and other energy firms using spearphishing emails disguised as job applicant résumés and compromised websites to harvest credentials. The intrusions targeted administrative systems but did not breach operational controls at nuclear facilities, with the affected operator confirming no safety impacts due to segregated industrial systems. U.S. authorities assessed the campaign as reconnaissance to establish network footholds, potentially for future disruptive actions, while noting similar targeting of energy infrastructure in other countries. The incident underscored vulnerabilities in corporate networks despite robust isolation of critical industrial control systems at nuclear plants.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early May 2017, Russian government hackers targeted the business and administrative networks of U.S. energy companies, including Wolf Creek Nuclear Operating Corporation in Kansas, as part of a cyber reconnaissance campaign. The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) detected these intrusions and issued a joint alert to the energy sector in late June 2017, warning that advanced persistent threat actors had been stealing network credentials since at least May. The attackers employed spearphishing emails containing malicious Microsoft Word attachments disguised as job applicant resumes, alongside watering hole attacks compromising legitimate websites to harvest login credentials. According to U.S. officials, fewer than a dozen energy companies were affected, including multiple nuclear power operators. The National Security Agency (NSA) attributed the activity to Russia's Federal Security Service (FSB), marking the first confirmed instance of Russian state hackers penetrating American nuclear power company networks.
Wolf Creek Nuclear Operating Corporation confirmed its corporate networks were compromised but emphasized that no operational systems were impacted. Plant spokeswoman Jenny Hageman stated the reactor control systems remained isolated from business networks and the internet, with "absolutely no operational impact" on nuclear safety. The FBI and DHS corroborated this assessment, noting no evidence of breaches to industrial control systems across all affected companies. Industry experts highlighted that U.S. commercial nuclear plants generally maintain stronger isolation of operational technology compared to electric power facilities. While the intrusions raised concerns about potential future attacks on critical infrastructure, U.S. officials stressed the campaign appeared limited to reconnaissance, with no disruption to power generation or public safety. The incident occurred amid broader diplomatic discussions between U.S. and Russian leaders about establishing cybersecurity frameworks for critical infrastructure protection.