According to a NextGov exclusive, computers at the US Nuclear Regulatory Commission have been breached by foreign hackers at least twice in the last three years. The news comes from an official report from the Inspector General's Cyber Crime Unit, which led the investigation. In the first breach, the tactic was a simple phishing scheme, sending an email to multiple employees asking them to fill out Google doc with their login information. A dozen employees clicked on the link, although it's still unclear how many actually filled out the form. Later, an NRC employee's personal email was hacked and used to send malware-laden PDFs to 16 different employees.
It's still unclear which country originated the attacks, and whether the attackers were acting independently or as a part of a larger state action. It's also unclear how far the attackers got. The IG report doesn't mention any actions after the initial login-harvesting emails, but it's possible subsequent attacks went undetected. Speaking to NextGov, NRC commissioner David McIntyre said the ultimate fallout was minimal, and that the attacks "were detected and appropriate measures were taken."