Top Federal Lab Hacked in Spear-Phishing Attack

April 21, 2011
Cyber Security, FedCyber Wire
No Comment

via Wired

The Oak Ridge National Laboratory was forced to disconnect internet access for workers on Friday after the federal facility was hacked, and administrators discovered data being siphoned from a server.

Only a “few megabytes” of data were stolen before the lab discovered the breach and cut internet access to prevent further exfiltration from the sensitive government facility, according to Thomas Zacharia, deputy director of the lab.

The lab, which is located in Tennessee and conducts classified and unclassified energy and national security work for the federal government, is funded by the U.S. Department of Energy and is managed by UT-Batelle, a private company formed by the University of Tennessee and Batelle Memorial Institute. The lab’s science and technology research includes work on nuclear nonproliferation and isotope production. The lab, ironically, also does cybersecurity research focusing on, among other things, researching malware and vulnerabilities in software and hardware as well as phishing attacks.

“One of our core competencies at the lab is cybersecurity research,”Zacharia said.

Zacharia called the attack against the lab “sophisticated” and compared it to so-called “advanced persistent threat” attacks that hit security firm RSA last month and Google last year.

The attacker used an Internet Explorer zero-day vulnerability that Microsoft patched on April 12 to breach the lab’s network. The vulnerability, described as a critical remote-code execution vulnerability, allows an attacker to install malware on a user’s machine if he or she visits a malicious web site.

According to Zacharia, the intrusion came in the form of a spear-phishing email sent to lab employees on April 7. The e-mail, purportedly sent from the human resources department, discussed employee benefits and included a link to a malicious web page, where malware exploited the IE vulnerability to download additional code to users’ machines.

Continued here.