July 10, 2017 By Douglas Bonderud 2 min read

On a list of worst-case cybercrime scenarios, the compromise of U.S. nuclear power plants easily takes the top spot. If attackers gain access to critical systems, anything from industrial espionage to full-scale disaster is possible.

Until now, this idea fell firmly into the realm of fiction. But according to the The New York Times, a report confirmed by security specialists showed that cybercriminals have been busily breaching nuclear plant defenses since May. Is a malware meltdown imminent?

Finding Targets Within Nuclear Power Plants

Security experts aren’t sure exactly what threat actors were looking for, since they’ve been unable to analyze the full malware payload, the article explained. At least part of the fraudsters’ efforts focused on mapping out computer networks for future attacks.

It appears that the schemes fall into the advanced persistent threat (APT) category, which means they’re carried out by well-supplied groups with sophisticated skills and tools. Two people familiar with the investigation said the attacks mimicked those used by the Russia-based Energetic Bear cybergang, which has previously targeted energy companies.

John Keeley, of the Nuclear Energy Institute, noted that all nuclear power plants and facilities are required to report any threats to their “safety, security and operations.” This recent report came with an urgent amber warning, which ranks second-highest in the threat hierarchy.

Fraudsters were able to compromise nuclear networks using three common techniques: malware-laced Word documents, compromised websites and watering hole attacks. By composing highly detailed emails containing fake resumes and loaded with malware, the threat actors were able to pique the interest of senior industrial control engineers and gain access to a wide range of industrial control systems (ICS).

While facilities such as the Wolf Creek Nuclear Operating Corporation said the attacks did not impact operations systems and plant-facing networks were separate from those used to access the internet, both the widespread nature of the attack and its high success rate beg the question: What happens when cybercriminals bridge the gap?

A Growing Concern?

Once considered beyond the reach of malware attacks, supervisory control and data acquisition (SCADA) and ICS technologies are now under threat from a growing list of malicious actors. Despite the best efforts of power companies to keep internal and external networks separate, the simple fact that humans are required to maintain plant operations, troubleshoot technical issues and hire new staff creates an effective point of contact for cybercriminals.

Consider the impact of Industroyer, which is an ICS/SCADA-targeting malware that infects corporate devices. It then relays commands to switches and circuit breakers using four common industry standards, potentially disrupting energy grids across entire cities or countries.

The malware has already been deployed in several attacks across Ukraine, Bleeping Computer reported. The campaign was most likely a test to see how this code performed in the wild. While attackers had limited success, there’s no doubt they’ll try again.

An Ideal Environment for Cybercrime

The fusion of traditionally air-gapped SCADA networks with internet-facing corporate systems creates the ideal environment for cybercriminals. Methods that work outside the power control industry, such as malicious Word docs, compromised websites and man-in-the-middle (MitM) attacks, perform just as well inside when threat actors take the time to craft believable fake resumes or infect legitimate websites used by industrial control engineers.

So far, cybercriminals have only tested the edges of nuclear defenses, but this is reconnaissance, not reticence. Expect an increase in attack frequency and severity until security professionals find a way to effectively shut down cybercrime or malicious actors manage to trigger a malware meltdown.

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today