Ten days after IT administrators cut off Internet access at a federal research facility in Tennessee after a successful spear phishing attack, the laboratory remains disconnected.
Administrators shut down the e-mail server and all Internet access at the Oak Ridge National Laboratory on April 15 after discovering several systems had been infected with malicious code. The IT department had already detected the malware on a system earlier in the week after the employee had clicked on a link in a malicious e-mail. After discovering several systems were infected and that the malware had tried to transfer some data, the administrators pulled the plug as a preventive measure.
Internet access may be restored by the end of the week, according to Barbara Penland, the deputy director of communications at Oak Ridge. E-mail was restored April 19, but attachments are automatically blocked.
The public Web site ornl.gov remains online because it's on a different network, but not all the facility's sites are currently accessible. Even without Internet access, the laboratory is functioning "fairly well," according to Penland. Employees needing Internet access have to work outside the facility, and remote access to the Oak Ridge network remains disabled. Outside contractors also do not have access to the laboratory systems.
"We're being cautious, since the whole purpose of the malware is to exfiltrate data," Penland told Government Computer News. "We want to be completely sure before we get the Internet back up that it has been completely eradicated."
More than 500 employees at the laboratory received phishing e-mails on April 7 masquerading as a message from the benefits department. The message tricked several users into clicking on the link for more information.
The malware managed to compromise a system that housed non-sensitive data and a list of past and present projects conducted at the facility. The information allows personnel to look up information about the organizations working with the laboratory or an existing project. However, the targeted system was not connected to any databases containing classified or sensitive information or any of the supercomputers.
Oak Ridge is funded by the Department of Energy. Penland confirmed that a number of other Energy laboratories and agencies had been recently targeted by similar attacks.