Multiple nuclear power plants in the U.S. have faced cyber attacks and experienced breaches over the last couple of months, according to recent reports from The New York Times and Bloomberg. The Department of Homeland Security and the FBI issued a joint report on the attacks, and the agencies also issued warnings about the attacks to utility companies on June 28th.

It is not yet clear who is responsible for the attacks, but sources suggested to Bloomberg that a foreign government, possibly Russia, is behind them. U.S. officials also told NBC News that they suspected Russia's involvement.

Although the attackers were able to compromise several computers, they did not penetrate to the control systems of the affected critical infrastructure facilities, per the Times.

The attackers also obtained credentials belonging to senior-level employees at some of the nuclear facilities.

Attacks Carried out via Document Malware

Document-based Malware attacks were the primary attack vector. The attackers sent carefully crafted phishing emails with malicious Microsoft Word attachments – specifically, fake resumes – to targeted senior-level employees. Once a recipient of these phishing emails opened the Word documents, their endpoints were compromised, and the attackers could steal the user's credentials.

Neither Bloomberg nor the Times has indicated precisely what kind of file-based exploit the attackers used. The Times reported that the Word documents were "laced with malicious code," which could mean that malicious macros or deceptive hyperlinks were used. Meanwhile, Newsweek described the attacks thusly: "When clicked, the resumes infected computers."

Regardless of exactly what attack methods were used, document-based attacks are nothing new; in fact, they are all too common. Even security-aware users (nuclear power plant employees tend to be highly aware of cyber security issues) may be fooled by well-crafted phishing emails with legitimate-seeming malicious attachments.

Organizations should take steps to prevent these kinds of document-based exploits.

How to Neutralize Document-Borne Malware Attacks

This incident exemplifies why organizations that may be subject to advanced security attacks need a strategy for Advanced Threat Protection.

Several solutions are touted by vendors for Advanced Threat protection, but we prefer the advanced threat prevention approach. Many of the solutions on the market, such as machine learning-based network data approaches or sandbox detonation, are after-the-fact detection and remediation products. Without even mentioning advanced sandbox evasion techniques or the difficulty of deploying those solutions, let's just compare them to our preferred approach, data sanitization or Content Disarm and Reconstruction (CDR), from the standpoint of prevention versus detection.

Any good security professional knows that detecting, or better yet blocking, a security hack, attack, or malware detonation earlier in its lifecycle has huge downstream benefits. This is why OPSWAT has invested heavily in adding data sanitization to our core Metadefender multi-scanning capabilities.

It's been clear for several years now that unknown or zero-day malware is on the rise. A common associated propagation method for such attacks is document-borne malware. Traditional static analysis methods of malware detection, such as antivirus, will often miss these attacks completely.

Enter data sanitization, or CDR as some analysts call the technology.

The data sanitization process disarms potentially malicious files by stripping exploitable content from the file, and then reconstructing it so that users can still open and use the file like normal. OPSWAT's data sanitization engines are capable of disarming and then reconstructing even complex files with all their original functionality intact.

Unlike sandboxes that only sample a portion of all network traffic coming into an organization and leave room for time-delayed or file parceling evasion, CDR works quickly enough to inspect every file coming through important enterprise communication channels, such as email systems or customer-facing portal applications.

As suggested above, OPSWAT recommends enterprises activate data sanitization/CDR through multiple data channels of files coming into or leaving an organization. For this reason, we've enabled the technology in our platform across multiple solutions that span email, web, REST APIs for web applications, and generally, all ICAP-enabled network devices. This is a key part of our multi-channel strategy for the secure data and device workflow that we believe organizations need today.

If you're interested in testing how well the technology works, try OPSWAT's data sanitization/CDR today by uploading a file at Metadefender.com – a sanitized version of the file will be generated for free.