“Protecting people and the environment” is listed like a motto on the U.S. Nuclear Regulatory Commission’s website. But hopefully that protection exceeds NRC employee’s abilities to spot targeted spearphishing emails, since falling for the tactic caused the agency to be hacked three times in the past three years.

A fraction of NRC’s annual $1 billion budget helps about 4,000 employees attend annual cyber-awareness training which includes warnings about phishing, spearphishing and other methods attackers might exploit to gain entry into the agency’s networks. Apparently not everyone was paying attention and heeded those “don’t-fall-for-phishing” instructions as NextGov learned that the NRC was hacked twice by foreigners and a third time by an unknown attacker.

Through a Freedom of Information Act request, NextGov discovered that one hacking incident involved about 215 phishing emails asking NRC employees to click a link, log in and verify their user accounts. The link actually took victims to a cloud-based Google spreadsheet. One dozen NRC personnel fall for that trick and entered their info on the spreadsheet. The IG Cyber Crime Unit tracked “the person who set up the spreadsheet to a foreign country,” but didn’t name which country.

The NRC “regulates commercial nuclear power plants and other uses of nuclear materials, such as in nuclear medicine, through licensing, inspection and enforcement of its requirements.” That means it handles databases with the location and condition of nuclear reactors, radioactive waste and facilities that handle weapons-grade nuclear materials. The NRC was not clear on precisely what all information was entered in the Google spreadsheet, but claimed to have “cleaned their systems and changed their user profiles” after that hack.

In hack two, attackers tapped the cloud again…but Microsoft’s this time. A foreign government or individual used targeted spearphishing emails that contained a link to malware hosted on Microsoft Skydrive. One person fell for that trick.

The third compromise was slightly more complex. After breaking into one NRC employee’s personal email, an attacker used it to send a malicious PDF attachment to 16 other NRC personnel in the employee’s contact list. The PDF contained a JavaScript vulnerability; one person opened it and was compromised. When investigators attempted to trace the origins of this attack, the ISP said it “had no log records for that date” as the “logs had been destroyed.”

NRC spokesman David McIntyre stated:

"The NRC’s computer security office detects and thwarts the vast majority of such attempts, through a strong firewall and reporting by NRC employees. The few attempts documented in the OIG cyber crimes unit report as gaining some access to NRC networks were detected and appropriate measures were taken."

Two cybersecurity experts told NextGov that spearphishing is a tactic that the Chinese and Russians typically utilize; the NRC would be a juicy “target for nation states seeking information on vulnerabilities in critical infrastructure.”

99% of self-proclaimed hackers surveyed at Black Hat said they believe simplistic hacking tactics like phishing still work…and obviously they do.