On a list of worst-case cybercrime scenarios, the compromise of U.S. nuclear power plants easily takes the top spot. If attackers gain access to critical systems, anything from industrial espionage to full-scale disaster is possible.

Until now, this idea fell firmly into the realm of fiction. But according to the The New York Times, a report confirmed by security specialists showed that cybercriminals have been busily breaching nuclear plant defenses since May. Is a malware meltdown imminent?

Finding Targets Within Nuclear Power Plants

Security experts aren’t sure exactly what threat actors were looking for, since they’ve been unable to analyze the full malware payload, the article explained. At least part of the fraudsters’ efforts focused on mapping out computer networks for future attacks.

It appears that the schemes fall into the advanced persistent threat (APT) category, which means they’re carried out by well-supplied groups with sophisticated skills and tools. Two people familiar with the investigation said the attacks mimicked those used by the Russia-based Energetic Bear cybergang, which has previously targeted energy companies.

John Keeley, of the Nuclear Energy Institute, noted that all nuclear power plants and facilities are required to report any threats to their “safety, security and operations.” This recent report came with an urgent amber warning, which ranks second-highest in the threat hierarchy.

Fraudsters were able to compromise nuclear networks using three common techniques: malware-laced Word documents, compromised websites and watering hole attacks. By composing highly detailed emails containing fake resumes and loaded with malware, the threat actors were able to pique the interest of senior industrial control engineers and gain access to a wide range of industrial control systems (ICS).

While facilities such as the Wolf Creek Nuclear Operating Corporation said the attacks did not impact operations systems and plant-facing networks were separate from those used to access the internet, both the widespread nature of the attack and its high success rate beg the question: What happens when cybercriminals bridge the gap?

A Growing Concern?

Once considered beyond the reach of malware attacks, supervisory control and data acquisition (SCADA) and ICS technologies are now under threat from a growing list of malicious actors. Despite the best efforts of power companies to keep internal and external networks separate, the simple fact that humans are required to maintain plant operations, troubleshoot technical issues and hire new staff creates an effective point of contact for cybercriminals.

Consider the impact of Industroyer, which is an ICS/SCADA-targeting malware that infects corporate devices. It then relays commands to switches and circuit breakers using four common industry standards, potentially disrupting energy grids across entire cities or countries.

The malware has already been deployed in several attacks across Ukraine, Bleeping Computer reported. The campaign was most likely a test to see how this code performed in the wild. While attackers had limited success, there’s no doubt they’ll try again.

An Ideal Environment for Cybercrime

The fusion of traditionally air-gapped SCADA networks with internet-facing corporate systems creates the ideal environment for cybercriminals. Methods that work outside the power control industry, such as malicious Word docs, compromised websites and man-in-the-middle (MitM) attacks, perform just as well inside when threat actors take the time to craft believable fake resumes or infect legitimate websites used by industrial control engineers.

So far, cybercriminals have only tested the edges of nuclear defenses, but this is reconnaissance, not reticence. Expect an increase in attack frequency and severity until security professionals find a way to effectively shut down cybercrime or malicious actors manage to trigger a malware meltdown.