The U.S. Nuclear Regulatory Commission (NRC) was "successfully hacked" at least three times in the past few years, with two of the data breaches conducted by hackers overseas, according to records. One breach took places due to a phishing attack that was sent to more than 200 NRC employees, with a successful logon-credential harvesting attempt. At least 12 employees opened an enclosed link in the email, indicating there is still work to be done to better educate employees against opening suspicious emails.
A different attack also utilized a phishing attack that redirected employees to malware spread via Microsoft SkyDrive, with "one incident of compromise and the investigation tracked the sender to a foreign country."
"The few attempts documented in the OIG Cyber Crimes Unit report as gaining some access to NRC networks were detected and appropriate measures were taken," said David McIntyre, NRC spokesman, in a statement to the media.
Regardless of what type of malware - or other attack that occurs from a phishing email - employers are struggling to teach employees how to avoid increasingly clever social engineering techniques launched by cybercriminals.