U.S. Nuclear Regulatory Commission (NRC) employees fell victim to email “phishing” attempts three times in the past few years, allowing intruders into the agency’s email system, according to an internal report by the Office of Inspector General obtained by news site Nextgov.com.

The internal NRC investigation revealed that twelve employees clicked on a link in an email asking them to verify their login credentials; the link actually took them to a Google Docs spreadsheet that appeared to collect information. About 215 NRC staffers received the phishing email. Though the NRC investigation did not determine exactly what information was collected, it changed the affected user profiles and cleaned the system.

 

Another email attack directed at NRC employees contained links to malicious software (“malware”); one employee system was compromised as a result.

 

 

 

Both of these attacks were traced to foreign nations, though the country was not named in the report.

Recent events suggest the attack may have been state-sponsored. Earlier this year, the U.S. government filed charges against five Chinese military officers for cyber attacks against victims in the nuclear power, metals, and solar power sectors. Also this year, computer security firm Symantec reported that a Russian-based group of hackers had successfully attacked targets across the energy sector, including grid operators.

In the third attack described in the NRC report, one employee’s email account was hacked and malware was sent to 16 other staffers on the employee’s distribution list, one of whom was infected. The NRC investigation was unable to trace the source of the attack.

The investigation was conducted from 2010 through November 2013. During that period, 17 compromises or attempted compromises were discovered.A new investigation is planned for this year, the Nextgov report said.

—Thomas W. Overton, JD is a POWER associate editor.