The Department of Homeland Security and FBI have issued a joint report providing details of malware attacks targeting employees of companies that operate nuclear power plants in the US, including the Wolf Creek Nuclear Operating Corporation, The New York Times reports. The attacks have been taking place since May, as detailed in the report issued by federal officials last week and sent out to industry.
The “amber” alert to industry—the second-highest level of severity for these types of reports from the FBI and DHS—noted that the attacks had been focused on employees’ personal computers but had not managed to jump to control systems. Administrative computers and reactor control systems in most cases are operated separately, and the control networks are generally “air-gapped”—kept disconnected from networks that attach to the Internet.
There is no evidence that information on plant operations was exposed. FBI and DHS analysts have not been able to determine the nature of the malware planted by the attempted hacks, which used a “spear-phishing” campaign targeting senior industrial control engineers at nuclear facilities. The tailored e-mails contained fake résumés and appeared to be from people seeking control engineering jobs, according to the report seen by the Times.
While nuclear power plant industrial controls are “air-gapped,” that doesn’t necessarily mean that they are secure. A 2015 study by the British think-tank Chatham House found nuclear control systems to be “insecure by design” and vulnerable to attack. Some did not keep control systems isolated from administrative networks connected to the Internet, and others were vulnerable despite air-gaps because of the heavy use of USB thumb drives to move data and install software updates. Many of these systems run on older operating systems that are not regularly updated.
While the report gave no indication of the source of the attack, unnamed sources cited by the Times said that the attacks are similar in approach to those staged over the past five years by a “threat group” known by some researchers as “Energetic Bear“—a Russia-based campaign against energy sector targets. In those attacks, the malware implanted by the malicious e-mail attachments specifically targeted industrial control systems.
These attacks follow a much broader cyber-espionage campaign against critical infrastructure companies earlier this year. In April, the DHS warned of ongoing cyber-attacks on the energy sector as a whole, as well as healthcare, information technology, telecommunications, and infrastructure industries. Those attacks used Redleaves and other malware focused on stealing user credentials and providing a persistent backdoor to networks.