Cyber Incident Victim: Nuclear Regulatory Commission

Between 2010 and 2013, the U.S. Nuclear Regulatory Commission experienced three confirmed computer breaches involving foreign actors and unidentified intruders, as documented in an inspector general report. The first incident involved a phishing campaign targeting approximately 215 NRC employees through emails disguised as account verification requests. These messages contained links directing recipients to a fraudulent Google spreadsheet designed to harvest login credentials. Twelve employees interacted with the link, prompting the NRC to cleanse affected systems and modify user profiles as a precaution, though the specific credentials compromised remained undetermined. Investigators traced the spreadsheet's creator to a foreign country but did not publicly identify the nation. In a separate attack, hackers sent spearphishing emails containing URLs that redirected to malware hosted on a Microsoft Skydrive storage site. This operation resulted in one confirmed network compromise, with forensic analysis again linking the activity to a foreign country. A third breach originated from the compromised personal email account of an NRC employee, which attackers used to distribute malware-laden PDF attachments exploiting a JavaScript vulnerability to 16 colleagues. One recipient executed the malicious attachment, leading to infection. Attempts to identify these intruders through ISP records failed when investigators discovered relevant logs had been destroyed prior to their subpoena.

These breaches occurred within the context of 17 documented cyber incidents or attempts investigated by the NRC's Office of Inspector General between 2010 and November 2013. As the regulator of U.S. nuclear facilities, the NRC maintained sensitive databases containing reactor locations, operational conditions, and inventories of weapons-grade materials—information of significant value to potential adversaries. In response to the incidents, the agency implemented mandatory annual cybersecurity training for all employees covering phishing and spearphishing defense, while emphasizing existing protections such as firewall systems and employee reporting protocols. Commission spokesman David McIntyre stated that security teams detected and mitigated most intrusion attempts, with only a limited number achieving partial network access. Cybersecurity experts cited in the report assessments suggested nation-state involvement due to the NRC's role in critical infrastructure oversight, with specific reference to historical patterns of Chinese and Russian operations using similar spearphishing techniques. However, no conclusive attribution to any government or entity was established through the investigations. The breaches reflected broader federal cybersecurity challenges, with government-wide self-reported incidents increasing by over 35% between fiscal years 2010 and 2013, though agencies typically disclosed compromises only when personal data exposure occurred. The NRC's IG planned additional probes to evaluate ongoing network vulnerabilities following the closure of this investigation cycle.