The strange phone calls trickled into the undisclosed NRG Energy Inc. plant over two days in mid-March.
Four separate people -- three men and one woman -- called NRG personnel in two departments seeking access to personal computer passwords and IP addresses. They likely claimed to be from tech support, but their true identities and whereabouts are unknown.
NRG employees didn't fall for it. The nation's biggest competitive electricity producer reports that no one gave out any sensitive information despite the callers' best efforts, and there were "no other unusual cyber attempts to access the PCs."
Nevertheless, the incident prompted the energy giant to file an electric disturbance report with the Department of Energy. In NRG's filings, obtained by EnergyWire via a Freedom of Information Act request, the company categorized the emergency as a "cyber event." No generation was affected.
Such simple attempts to gain unauthorized network access seem quaint in today's age of advanced cyberweapons and computer-savvy gangs of hackers.
But why bother combing through zeros and ones when a cold call often does the trick?
"We need to realize that some of our adversaries out there are very smart -- but many of them are not," said Amichai Shulman, co-founder and chief technology officer of the cybersecurity firm Imperva. "Some of them read the same articles that we all do and figure, 'Why not call and ask for the password? It might work.'"
The callers targeting NRG could have been pranksters, or they could have been part of a nation-state's efforts to access U.S. critical infrastructure. (An NRG spokesman would not comment on the specifics surrounding the March 19 episode.)
Whoever they were, the attackers would have had a much better chance at breaking into NRG's computers if they had done some homework. Targeted calls can work best when paired with "spear phishing," or tailor-made malicious emails.
"Have you opened that attachment I just sent to your email?" an attacker's phone elicitation might go.
Employees at critical energy companies, from electric utilities to oil and gas producers, may encounter Word documents or Excel spreadsheets with computer viruses tucked inside.
Government workers aren't immune, either. A Dec. 30, 2013, report from the Nuclear Regulatory Commission's Office of Inspector General described an unknown hacker's bid to persuade an NRC employee to open a corrupted PDF file containing a Trojan back door. The regulator also reported being hit with "several" other incidents of "targeted spear phishing," although it said that no compromise occurred from the campaign and that an "investigation was able to track the sender to a foreign country."
In a separate case last year, an NRC employee's personal email account was hacked and used to send malicious messages to other workers at the agency, according to the OIG report, obtained via a Freedom of Information Act request.
"Only one of the 16 NRC employees who received the malicious e-mail opened the e-mail and attachment and became infected, which caused that one employee's computer to be replaced," NRC spokesman Scott Burnell said in an email.
The NRC case raises an important question, given that the malicious files would have appeared to come from a trusted colleague: How far should people go to guard their organizations from potential threats?
"If you're talking about a targeted attack, how would you expect someone to be able to detect a well-crafted email with a very organizational, specific context and so on?" said Shulman of Imperva. "My HR guys, they always receive [emailed] CVs from people all around -- do I want them to just reject them and not look into them? No; I employ them in order to find opportunities."
Shulman acknowledged that he has higher expectations for CEO-level types, and for people in the business of keeping networks clean. Redwood Shores, Calif.-based Imperva, for its part, emphasizes database security and helps companies detect abusive access patterns.
But "human beings who constantly look over their shoulder, we have a name for them," he said. "Paranoid."
Some see good reason for a healthy dose of concern, if not paranoia, over "social engineering" -- a catchall term for efforts to get people to act outside their best interests.
It's an old-school technique that's startlingly effective in the 21st century.
Christopher Hadnagy, chief human hacker at the security firm Social-Engineer Inc., estimates his company succeeds in 70 to 77 percent of attempts to persuade employees to share data they shouldn't, from passwords to Social Security numbers.
"It depends on the type of information that the attacker is going for," Hadnagy said. "If I want access to your network, I'm probably going to go with a phishing email or a USB drive. If I want data collection, I'm going to use a phone call or a phishing email with malware attached."
Hadnagy's clients hire him to try to break into their networks by duping their employees.
He has even turned social engineering into a (carefully monitored) game at the annual Def Con hacking conference in Las Vegas. About 20 people compete each year to cold-call companies and gather points by shaking sensitive data from unsuspecting employees, or by getting personnel to perform certain actions like visiting a specific URL.
This year, the winning team gathered the most "flags" from Home Depot. Weeks later, the retailer was found to have leaked millions of customers' credit and debit card numbers in an unrelated data breach.
Hadnagy said his "Social Engineering Capture the Flag" contest steers clear of financial companies, health care providers, critical infrastructure operators or other potentially sensitive targets.
But the bad guys don't exercise the same discretion, he said.
"Nuclear power is one of those sectors that are constantly targeted with spear phishing," Hadnagy said, noting that he has worked with several companies in the industry. "When we look at something that can cause this level of damage and maybe even death, these [attackers] are the types of groups that control terrorism, nation-states or crime organizations."
Keeping it clean
Cybersecurity is often described as an uphill battle: Defenders must be constantly vigilant, while attackers need only to find a lone weak point.
Yet viewing employees as vulnerabilities isn't the right approach for any organization, according to Jane Holl Lute, president and CEO of the Council on CyberSecurity and former deputy secretary of the Department of Homeland Security.
"We have a highly engaged, highly educated, switched-on and alert workforce in this country," she said. "Sure, people are going to make mistakes ... [but] none of us wants to be the dope who allows whatever into the system because we made a pretty avoidable mistake."
Lute is a proponent of cyber hygiene, the digitized equivalent of washing your hands regularly. The council has helped assemble a list of 20 "critical controls" for securing networks, including training personnel and conducting "red team" exercises to put defenses to the test.
The council has even pared those 20 tips down to five basic actions that are easily sharable and can address the most pervasive attacks.
"It may be a jungle out there, but we actually know a lot about the jungle, and we know a lot about the most important things to do to keep yourself safe," Lute said, citing the "predictability" of many well-known attacks.
But it's up to bosses to carve out the time to train their employees on the basics. NRG spokesman David Knox said that "we do train our employees to handle a variety of contingencies that could happen at our plants and offices." The NRC also hosts mandatory annual computer security training for its employees, agency spokesman Burnell noted.
"Are the bad guys using social engineering? Sure. Does that make them really smart? No," Lute said. "And does it make our folks dumb because they're falling into traps? No. We can close that gap."
Like what you see?
We thought you might.
Start a free trial now.