Traced to a foreign country (which has not been identified), the cyber-attacks targeted NRC employees and were primarily phishing emails linking to malicious software. Though it is still unknown what information was leaked and what information the hackers were attempting to steal, the NRC took every precaution in eliminating the contaminated systems and profile information for any employee who clicked on a phishing link.
"It is extremely concerning that these attacks involved a commonly used technique of spear-phishing,” Deepen Desai, director of security research for Zscaler, said in an email to SC. “The sensitive information of prime interest to some foreign states, makes it very important for organisations like NRC to not only continuously train their employees but also update their training content more frequently. It is also imperative for such organisations to adopt a stronger security policy."
NRC spokesman, David McIntyre, addressed such criticisms in his public statement: "The NRC's computer security office detects and thwarts the vast majority of such attempts, through a strong firewall and reporting by NRC employees." McIntyre also noted that "the few attempts documented in the OIG cyber crimes unit report as gaining some access to NRC networks were detected and appropriate measures were taken."
Trey Ford, global security strategist at Rapid7, added in an email to SC: "The energy sector is a high value target, so it's no great surprise to see the NRC being targeted."
"I am encouraged by this report; several things stand out to me. First, I think it's great to see data about attacks being shared publicly so other organizations can learn from what happened. Next, there is currently a strong and understandable emphasis in organizations on preventing attacks, with less consideration on how to respond when an compromise does occur, so it's great to see that NRC were able to detect and contain these incidents.
"Finally, the work around attribution is interesting here. Many people are quick to blame China for an attack, and every miscreant attacking a network is now "advanced" and "persistent". Take note that the NRC had clean data on how many employees received the phishing email, and how many fell for it."