Federal research facility Oak Ridge National Laboratory shut down its Internet access and email systems after an IE exploit compromised the network.
attackers compromised several machines at federal research facility Oak Ridge
National Laboratory, administrators temporarily shut down all Internet access
and e-mail systems to contain the damage. An investigation is currently
laboratory's IT administrators made the decision to disconnect the machines
from the Internet after discovering malware on several systems attempting to
transfer data to remote servers, according to Barbara Penland, the deputy
director of communications at Oak Ridge. Even though e-mail access was restored
late April 19, all attachments are automatically blocked, Penland told eWEEK.
Internet access remains down, but
the lab's public facing Website remains in operation.
restrictions will remain in place until lab officials and investigators are
satisfied the situation is under control and manageable.
to the recent data
breach at RSA Security
, Oak Ridge's systems were compromised by a spear
phishing attack. When two employees clicked on a link in a malicious e-mail,
they were directed to a Website that exploited remote code execution
vulnerability in Internet Explorer.
had fixed the bug-identified by independent security researcher Steven Fewer at
-in April's massive Patch
malicious e-mail had been sent to about 530 employees, of which 57 believed it
was a legitimate message sent from the human resources department and clicked
on the link, according to Wired.
malware was designed to hide on the system and delete itself if it could not
compromise the system.
malware lay dormant for a week and then transmitted stolen data to a remote
server. Administrators detected the transmission immediately and shut down and
cleaned offending machines. Administrators discovered that other machines were
also infected and made the decision on April 15 to shut down Internet access
entirely to contain the damage.
a "few megabytes" of data were stolen before the lab discovered the breach,
Thomas Zacharia, deputy director of the lab, told Wired.
Zacharia declined to disclose what had been transferred, but
confirmed that the data was encrypted.
appears that business systems were targeted and the supercomputers and other
sensitive networks remained secure.
Ridge National Labs blamed the incident on an "advanced persistent threat,"
(APT) a term commonly used by organizations to imply that the threat was so
advanced that they would never have been able to protect themselves, Gunter
Ollmann, vice-president of research at Damballa, told eWEEK.
"In many cases, what is being called an APT is, in reality,
just another cybercrime attack--motivated by the usual monetization and fraud
aspects and using the same tools," Ollmann said.
actuality, APTs generally are campaigns lasting for a long period of time and
using many infection vectors to compromise a network. Attackers generally
target strategic data over a long period of time in an APT, Ollmann said.
is not the first data breach at Oak Ridge, as attackers stole large amounts of
data containing Social Security numbers for approximately 12,000 individuals in
2007. That attack also succeeded because employees opened an attachment on a
malicious e-mail purporting to have information about a conference.
root of the problem is people, and there is no patch for that, Anup Ghosh,
founder and chief scientist of Invincea, told eWEEK.
Cyber-criminals are increasingly targeting the end user by
crafting e-mails designed to trick them in to clicking and viewing content.
has always and will always kill the cat-but now it also gets your network -pwned'
and your intellectual property exfiltrated," Ghosh said.
industry needs to change how the end-user is protected from ever-evolving threats
by placing the user in a "protective bubble"-such as a virtualized system where
user mistakes are isolated from the rest of the network, Ghosh said.
in Tennessee, Oak Ridge National Laboratory performs classified and
unclassified research for federal agencies and departments on nuclear energy,
chemical science and biological systems. Funded by the Department of Energy,
the lab's research includes analyzing malware, vulnerabilities and phishing
attacks. Oak Ridge may have been one of the facilities at which computer
scientists analyzed the Stuxnet worm to learn about its complex capabilities.
Department of Energy labs have sent experts to help decrypt the data and to
assist with the investigation, Zacharia said.