Antone Gonsalves at CSO reported something that worries me, and this SHOULD NOT BE at this day and age.
"Nuclear Regulatory Commission employees were tricked into disclosing passwords and downloading malware in three foreign-based phishing attacks that occurred over a three-year period. The incidents were described in an inspector general report obtained by the publication Nextgov through an open-records request.
The NRC's job is to ensure that the nation's nuclear power industry is following federal safety regulations. Because the NRC collects large amounts of information from nuclear facilities, the attackers were likely after that data to learn more about plant operations, Andrew Gintner, vice president of industrial security at Waterfall Security Solutions, said.
In one incident, the attackers sent email to 215 NRC employees, asking them to verify their accounts by clicking on a link and logging in with their user name and password.
A dozen employees clicked on the link, which actually connected to a spreadsheet on Google Docs. After the incident was reported, the NRC cleaned the workers' systems and changed their credentials, a commission spokesman told Nextgov.
In another incident, attackers tricked an employee into clicking on an email link that downloaded malware from Skydrive, Microsoft's file hosting service that is now called OneDrive. The employee was one of a number of workers who received email in the spearphishing attack, the report said.
Both of the attacks originated from foreign countries that were not identified. In the third incident, the attacker hacked an employee's email account and used the contact list to send email carrying a malicious attachment to 16 other employees, according to Nextgov. One employee opened the attachment, which infected the NRC computer. Whether the
attack was from a foreign country was not known.
The inspector general report listed 17 compromises or attempted compromises that occurred from 2010 to November 2013, Nextgov said. During the 2013 fiscal year, U.S. government agencies reported 46,160 "cyber-incidents" in which computers were compromised, according to a report by the Government Accountability Office. The number represented a 33 percent increase from fiscal 2012.
Security Awareness Training anyone? PLEASE?
There is more to this story, so continue to read here: http://www.csoonline.com/article/2466725/physical-security/workers-at-u-s-nuclear-regulator-fooled-by-phishers.html