July 10, 2017 By Douglas Bonderud 2 min read

On a list of worst-case cybercrime scenarios, the compromise of U.S. nuclear power plants easily takes the top spot. If attackers gain access to critical systems, anything from industrial espionage to full-scale disaster is possible.

Until now, this idea fell firmly into the realm of fiction. But according to the The New York Times, a report confirmed by security specialists showed that cybercriminals have been busily breaching nuclear plant defenses since May. Is a malware meltdown imminent?

Finding Targets Within Nuclear Power Plants

Security experts aren’t sure exactly what threat actors were looking for, since they’ve been unable to analyze the full malware payload, the article explained. At least part of the fraudsters’ efforts focused on mapping out computer networks for future attacks.

It appears that the schemes fall into the advanced persistent threat (APT) category, which means they’re carried out by well-supplied groups with sophisticated skills and tools. Two people familiar with the investigation said the attacks mimicked those used by the Russia-based Energetic Bear cybergang, which has previously targeted energy companies.

John Keeley, of the Nuclear Energy Institute, noted that all nuclear power plants and facilities are required to report any threats to their “safety, security and operations.” This recent report came with an urgent amber warning, which ranks second-highest in the threat hierarchy.

Fraudsters were able to compromise nuclear networks using three common techniques: malware-laced Word documents, compromised websites and watering hole attacks. By composing highly detailed emails containing fake resumes and loaded with malware, the threat actors were able to pique the interest of senior industrial control engineers and gain access to a wide range of industrial control systems (ICS).

While facilities such as the Wolf Creek Nuclear Operating Corporation said the attacks did not impact operations systems and plant-facing networks were separate from those used to access the internet, both the widespread nature of the attack and its high success rate beg the question: What happens when cybercriminals bridge the gap?

A Growing Concern?

Once considered beyond the reach of malware attacks, supervisory control and data acquisition (SCADA) and ICS technologies are now under threat from a growing list of malicious actors. Despite the best efforts of power companies to keep internal and external networks separate, the simple fact that humans are required to maintain plant operations, troubleshoot technical issues and hire new staff creates an effective point of contact for cybercriminals.

Consider the impact of Industroyer, which is an ICS/SCADA-targeting malware that infects corporate devices. It then relays commands to switches and circuit breakers using four common industry standards, potentially disrupting energy grids across entire cities or countries.

The malware has already been deployed in several attacks across Ukraine, Bleeping Computer reported. The campaign was most likely a test to see how this code performed in the wild. While attackers had limited success, there’s no doubt they’ll try again.

An Ideal Environment for Cybercrime

The fusion of traditionally air-gapped SCADA networks with internet-facing corporate systems creates the ideal environment for cybercriminals. Methods that work outside the power control industry, such as malicious Word docs, compromised websites and man-in-the-middle (MitM) attacks, perform just as well inside when threat actors take the time to craft believable fake resumes or infect legitimate websites used by industrial control engineers.

So far, cybercriminals have only tested the edges of nuclear defenses, but this is reconnaissance, not reticence. Expect an increase in attack frequency and severity until security professionals find a way to effectively shut down cybercrime or malicious actors manage to trigger a malware meltdown.

More from

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Cybersecurity Awareness Month: 5 new AI skills cyber pros need

4 min read - The rapid integration of artificial intelligence (AI) across industries, including cybersecurity, has sparked a sense of urgency among professionals. As organizations increasingly adopt AI tools to bolster security defenses, cyber professionals now face a pivotal question: What new skills do I need to stay relevant?October is Cybersecurity Awareness Month, which makes it the perfect time to address this pressing issue. With AI transforming threat detection, prevention and response, what better moment to explore the essential skills professionals might require?Whether you're…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today