The Department of Energy‘s largest science and research lab in Tennessee is still recovering from a sophisticated attack from hackers intent on stealing information from the lab in early April.
The attack left the lab in a communications limbo for two days as technicians dealt with its aftermath.“Most of the staff are back up, and the business functions are performing as usual,” said Barbara Penland, the Oak Ridge National Laboratory‘s director of communications. “But as you can imagine, when we were trying to get everything back up in a hurry, there were some shortcuts taken, and now the IT folks are rebuilding things in the background, and building some things that will make us more secure.”
Though no classified information was accessed, and none of the lab’s critical infrastructure, such as its supercomputers were breached, the attack is noteworthy because it was clearly an attempt to steal information from a facility that is at the heart of America’s materials, national security and energy research.
In addition to energy, scientists at Oak Ridge National Laboratory conduct groundbreaking research into computing, green technologies, physics and nanotechnology, among other things.
The attack also illustrates how multi-faceted the issue of cybersecurity can be – something that the Obama Administration has addressed in the past week with major announcements about its revamped approach to the issue both domestically and internationally.
To deal with the attack, Oak Ridge lab’s technicians had shut down access to its e-mail systems and some of its servers for more than 48 hours. They found that it was an attack that relied on a combination of social engineering and an unknown security hole in Microsoft’s Internet Explorer browser.
“It was specifically targeted at the lab,” Penland said. “The folks who did this they target large companies of different types based on the information they try to steal. So it’s understandable that we are a target.
“We actually realize that we are a target on an ongoing basis — there are a lot of attacks, literally daily, and so that gives you an idea of how sophisticated this one was to be able to get in.”
Oak Ridge was also the target of a 2007 phishing scam that gave hackers access to more than a decade’s worth of personal information on lab visitors.
While the attackers are not known, the operation resembles an Advanced Persistent Threat Attack.
The characteristics of the this latest attack also appear similar to those used in the widely-publicized SecurID phishing attack, which compromised the computer security company RSA’s widely-used product.
In the RSA attack, a malicious Flash object in a scam Excel file was used to infect recipients’ computers with malicious computer code.
A 2009 report from the U.S.-China Economic and Security Review Commission suggested that the Chinese government is covertly behind some of these kinds of intelligence gathering efforts by the seemingly rogue hackers.
The report said that these kinds of activities could be part of a larger ongoing information warfare initiative that seeks to cripple the opposite side’s key networks before any physical military action.
“China is likely using its maturing network exploitation capability to support intelligence collection against the U.S. government and industry by conducting a long-term, sophisticated computer network exploitation campaign,” wrote the report’s authors.
Penland declined to comment on who the lab suspects are behind the attacks, but noted that they used a similar attack against the security company RSA.
The computer hackers had sent phony e-mails that looked as if they were from Oak Ridge’s human resources department to more than 500 (about a tenth) of the lab’s staff. Some clicked on the attachment that came with the note.
The attachment exploited a flaw in Microsoft’s Internet Explorer browser to launch a piece of malicious code that quickly spread through the lab and enabled the hackers to mine the lab’s computer network for data.
The activity, known as “phishing,” led to the email shutdown on April 17 after lab technicians noticed unusual internet traffic that indicating that data was being mined from its servers.
For its part, Microsoft issued a security patch for the flaw in its Internet Explorer browser April 12.
“Microsoft is aware of reports of cyberattacks targeting the U.S. Department of Energy and, at the department’s request, is consulting with them on the issue,” said Jerry Bryant of Microsoft Trustworthy Computing unit.
Asked why the lab still uses Internet Explorer, which is widely exploited by hackers, Penland said that its large community of scientists need to use the browser to collborate with other scientists around the world.
“We use a wide variety of browsers,” she said. “The idea that we could close out any one browser is unrealistic, and would be very difficult.”