BOSTON – The U.S. Nuclear Regulatory Commission was “successfully hacked” three times in recent years in attacks involving tainted emails, according to an internal investigation on cyberattacks at the agency, Nextgov.com reported on Tuesday.
At least two of the attacks originated overseas, according to the report obtained by Nextgov, a rare public report with details of a cyberattack on the energy sector.
The publication said it obtained a copy of a report by the NRC’s Office of the Inspector General, which reviewed 17 suspected breaches from 2010 to 2013.
The report did not name the countries where the attacks originated or say if data had been stolen from the regulatory agency, which holds sensitive data on the nuclear power industry.
Reuters was not immediately able to access the report, which Nextgov said it obtained through a Freedom of Information request.
“The few attempts documented in the OIG Cyber Crimes Unit report as gaining some access to NRC networks were detected, and appropriate measures were taken,” NRC spokesman David McIntyre said.
In one of the three cases, 12 employees clicked on a link in a phishing email that took them to what the agency believed was a tainted spreadsheet, McIntyre said.
In another case, attackers compromised the personal email account of an NRC employee, then sent malicious emails to 16 agency workers, McIntyre said.
Cyberattacks involving organizations in the energy sector are rarely disclosed by the government.
Officials say they keep information about cybersecurity secret both to prevent hackers from identifying ways to launch copycat attacks and to encourage businesses to share information with the government without fear of potentially negative publicity.
In May, the Department of Homeland Security reported that a sophisticated hacking group had attacked an undisclosed U.S. public utility and compromised its control system network, though there was no evidence that the utility’s operations were affected.
Last year, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 256 cyberincident reports, more than half of them in the energy sector. While that is nearly double the agency’s 2012 caseload, there was not a single incident that caused a major disruption.