July 10, 2017 By Douglas Bonderud 2 min read

On a list of worst-case cybercrime scenarios, the compromise of U.S. nuclear power plants easily takes the top spot. If attackers gain access to critical systems, anything from industrial espionage to full-scale disaster is possible.

Until now, this idea fell firmly into the realm of fiction. But according to the The New York Times, a report confirmed by security specialists showed that cybercriminals have been busily breaching nuclear plant defenses since May. Is a malware meltdown imminent?

Finding Targets Within Nuclear Power Plants

Security experts aren’t sure exactly what threat actors were looking for, since they’ve been unable to analyze the full malware payload, the article explained. At least part of the fraudsters’ efforts focused on mapping out computer networks for future attacks.

It appears that the schemes fall into the advanced persistent threat (APT) category, which means they’re carried out by well-supplied groups with sophisticated skills and tools. Two people familiar with the investigation said the attacks mimicked those used by the Russia-based Energetic Bear cybergang, which has previously targeted energy companies.

John Keeley, of the Nuclear Energy Institute, noted that all nuclear power plants and facilities are required to report any threats to their “safety, security and operations.” This recent report came with an urgent amber warning, which ranks second-highest in the threat hierarchy.

Fraudsters were able to compromise nuclear networks using three common techniques: malware-laced Word documents, compromised websites and watering hole attacks. By composing highly detailed emails containing fake resumes and loaded with malware, the threat actors were able to pique the interest of senior industrial control engineers and gain access to a wide range of industrial control systems (ICS).

While facilities such as the Wolf Creek Nuclear Operating Corporation said the attacks did not impact operations systems and plant-facing networks were separate from those used to access the internet, both the widespread nature of the attack and its high success rate beg the question: What happens when cybercriminals bridge the gap?

A Growing Concern?

Once considered beyond the reach of malware attacks, supervisory control and data acquisition (SCADA) and ICS technologies are now under threat from a growing list of malicious actors. Despite the best efforts of power companies to keep internal and external networks separate, the simple fact that humans are required to maintain plant operations, troubleshoot technical issues and hire new staff creates an effective point of contact for cybercriminals.

Consider the impact of Industroyer, which is an ICS/SCADA-targeting malware that infects corporate devices. It then relays commands to switches and circuit breakers using four common industry standards, potentially disrupting energy grids across entire cities or countries.

The malware has already been deployed in several attacks across Ukraine, Bleeping Computer reported. The campaign was most likely a test to see how this code performed in the wild. While attackers had limited success, there’s no doubt they’ll try again.

An Ideal Environment for Cybercrime

The fusion of traditionally air-gapped SCADA networks with internet-facing corporate systems creates the ideal environment for cybercriminals. Methods that work outside the power control industry, such as malicious Word docs, compromised websites and man-in-the-middle (MitM) attacks, perform just as well inside when threat actors take the time to craft believable fake resumes or infect legitimate websites used by industrial control engineers.

So far, cybercriminals have only tested the edges of nuclear defenses, but this is reconnaissance, not reticence. Expect an increase in attack frequency and severity until security professionals find a way to effectively shut down cybercrime or malicious actors manage to trigger a malware meltdown.

More from

Exploring the 2024 Worldwide Managed Detection and Response Vendor Assessment

3 min read - Research firm IDC recently released its 2024 Worldwide Managed Detection and Response Vendor Assessment, which both highlights leaders in the market and examines the evolution of MDR as a critical component of IT security infrastructure. Here are the key takeaways. The current state of MDR According to the assessment, “the MDR market has evolved extensively over the past couple of years. This should be seen as a positive movement as MDR providers have had to evolve to meet the growing…

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today