Computers within the United States’ primary regulator for commercial nuclear power plants were successfully attacked three times in three years by at least two different hacking groups.

Nuclear Regulatory Commission computers were infiltrated twice by foreigner attackers, and once by an unidentifiable individual, but both using recognizable tools: two attacks traced back to Google spreadsheet users to harvest credentials and malware hosted in Microsoft’s One Drive.

nrc

The NRC, which regulates the safe use of commercial nuclear energy, was hacked three times in three years. In this photo, NRC Commissioner William Magwood visits (center) the Fukushima Daiichi Site. Also pictured are NRC staffers Robert Krsek, Eric Stahl, and Kirk Foggie (Image source: NRC via Flickr)

Through a Freedom of Information Act request, NextGov discovered NRC personnel were baited with phishing emails asking for verification of user accounts by clicking a link and logging in. The link really took victims to “a cloud-based Google spreadsheet.”

In one specific incident, emails were sent to roughly 215 NRC employees in “a logon-credential harvesting attempt,” and surprisingly, a dozen workers actually fell for it.

The third compromise was slightly more complex, according to NetWorld. A hacker was able to break into an NRC employee’s personal email, and used it to send a malicious PDF attachment to 16 other NRC workers in the contact list. The PDF contained a JavaScript vulnerability; just one person opened it and was compromised.

When investigators attempted to trace the origins of this attack, the ISP said it “had no log records for that date” as the “logs had been destroyed.”

The NRC’s Inspector General Cyber Crime Unit report said the commission was able to quickly clean and reset the users accounts, and was able to track the Google spreadsheet hack to a person in a foreign country, but it doesn’t go as far as to name the nation.

“The NRC’s computer security office detects and thwarts the vast majority of such attempts, through a strong firewall and reporting by NRC employees,” said NRC spokesman David McIntyre. “The few attempts documented in the OIG cyber crimes unit report as gaining some access to NRC networks were detected and appropriate measures were taken.”

But why hack the Nuclear Regulatory Commission, and not the power plants directly? NextGov reported:

“As the overseer of the U.S. nuclear power industry, NRC maintains records of value to overseas aggressors, including databases detailing the location and condition of nuclear reactors. Plants that handle weapons-grade materials submit information about their inventories to one such system, according to a 2000 IG report on efforts to protect critical infrastructure systems.”

The U.S. Nuclear Regulatory Commission was created in 1974 as an independent agency by Congress to ensure the safe use of radioactive materials “for beneficial civilian purposes while protecting people and the environment,” according to the NRC site.  The commission regulates commercial nuclear power plants and other uses of nuclear materials, such as in nuclear medicine, through licensing, inspection and enforcement of its requirements.

Follow Elizabeth Kreft (@elizabethakreft) on Twitter.