An image of the Oak Ridge National Laboratory
(WEB HOST INDUSTRY REVIEW) –- Tennessee-based Oak Ridge National Laboratory (www.ornl.gov) was hit with a spear phishing attack Friday, forcing the federal data center to cut Internet access for employees, according to a report by Wired.
The federal government lab said the cybercriminals only managed to steal a “few megabytes” of information before it realized that the data was being transferred from a server. As of Tuesday, the lab could not say what the stolen data actually entailed.
It immediately disconnected Internet access to stop the criminals from stealing any more sensitive data from the facility, said Oak Ridge National Laboratory deputy director Thomas Zacharia.
Funded by the US Department of Energy and managed by UT-Batelle, the lab performs energy and national security research for the US government.
Part of this research work includes studies on cybersecurity with a focus on software and hardware malware and flaws, as well as phishing attacks.
Zacharia said the phishing attack was “sophisticated” and comparable to last month’s “advanced persistent threat” attacks on RSA.
He said that the hacker used an Internet Explorer zero-day flaw that Microsoft patched on April 12 to install malware on the computers of unsuspecting visitors when they visit the malicious website.
The spear-phishing email was sent from the human resources department to lab employees on April 7, said Zacharia.
The email included information about employee benefits, as well as a link to a web page that contained malware used to download more code to visitors’ computers.
The breach comes just a couple weeks after online marketing firm Epsilon was hit by a similar spear phishing attack, potentially affecting millions of banking and retail customers.
Though the hackers initially had their targets set on the entire company, they were only successully in uploading malware to two computers, said Zacharia.
He said that while 530 of its 5,000 employees received the email, only 57 of them actually clicked on the link. Out of this number, only two computers were then infected with the malware.
Lab administrators discovered the server breach on April 11 when it noticed that data was leaving its servers.
Though employees had patched up the infected servers, Zacharia said that “a number of other servers suddenly [went] active with the malware” on early Friday evening.
The malware had remained dormant for a week before it became active again on the servers. The lab immediately blocked Internet access once it discovered this, and as Zacharia explained, was designed to automatically erase itself in the event of an unsuccessful attempt to compromise a machine.
This is the second time the lab has been hit with a spear phishing, following a similar attack in 2007 where the facility experienced a breach in its nonclassified database that resulted in hackers stealing thousands of names, Social Security numbers and birth dates.
As of Tuesday afternoon, lab employees are are able to use email, but are being ordered not to send or receive attachments.
No related posts.
