July 10, 2017 By Douglas Bonderud 2 min read

On a list of worst-case cybercrime scenarios, the compromise of U.S. nuclear power plants easily takes the top spot. If attackers gain access to critical systems, anything from industrial espionage to full-scale disaster is possible.

Until now, this idea fell firmly into the realm of fiction. But according to the The New York Times, a report confirmed by security specialists showed that cybercriminals have been busily breaching nuclear plant defenses since May. Is a malware meltdown imminent?

Finding Targets Within Nuclear Power Plants

Security experts aren’t sure exactly what threat actors were looking for, since they’ve been unable to analyze the full malware payload, the article explained. At least part of the fraudsters’ efforts focused on mapping out computer networks for future attacks.

It appears that the schemes fall into the advanced persistent threat (APT) category, which means they’re carried out by well-supplied groups with sophisticated skills and tools. Two people familiar with the investigation said the attacks mimicked those used by the Russia-based Energetic Bear cybergang, which has previously targeted energy companies.

John Keeley, of the Nuclear Energy Institute, noted that all nuclear power plants and facilities are required to report any threats to their “safety, security and operations.” This recent report came with an urgent amber warning, which ranks second-highest in the threat hierarchy.

Fraudsters were able to compromise nuclear networks using three common techniques: malware-laced Word documents, compromised websites and watering hole attacks. By composing highly detailed emails containing fake resumes and loaded with malware, the threat actors were able to pique the interest of senior industrial control engineers and gain access to a wide range of industrial control systems (ICS).

While facilities such as the Wolf Creek Nuclear Operating Corporation said the attacks did not impact operations systems and plant-facing networks were separate from those used to access the internet, both the widespread nature of the attack and its high success rate beg the question: What happens when cybercriminals bridge the gap?

A Growing Concern?

Once considered beyond the reach of malware attacks, supervisory control and data acquisition (SCADA) and ICS technologies are now under threat from a growing list of malicious actors. Despite the best efforts of power companies to keep internal and external networks separate, the simple fact that humans are required to maintain plant operations, troubleshoot technical issues and hire new staff creates an effective point of contact for cybercriminals.

Consider the impact of Industroyer, which is an ICS/SCADA-targeting malware that infects corporate devices. It then relays commands to switches and circuit breakers using four common industry standards, potentially disrupting energy grids across entire cities or countries.

The malware has already been deployed in several attacks across Ukraine, Bleeping Computer reported. The campaign was most likely a test to see how this code performed in the wild. While attackers had limited success, there’s no doubt they’ll try again.

An Ideal Environment for Cybercrime

The fusion of traditionally air-gapped SCADA networks with internet-facing corporate systems creates the ideal environment for cybercriminals. Methods that work outside the power control industry, such as malicious Word docs, compromised websites and man-in-the-middle (MitM) attacks, perform just as well inside when threat actors take the time to craft believable fake resumes or infect legitimate websites used by industrial control engineers.

So far, cybercriminals have only tested the edges of nuclear defenses, but this is reconnaissance, not reticence. Expect an increase in attack frequency and severity until security professionals find a way to effectively shut down cybercrime or malicious actors manage to trigger a malware meltdown.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today