Oak Ridge National Laboratory Breached by Phishing Email, IE Exploit

After attackers compromised several machines at federal research facility Oak Ridge National Laboratory, administrators temporarily shut down all Internet access and e-mail systems to contain the damage. An investigation is currently underway.

The laboratory’s IT administrators made the decision to disconnect the machines from the Internet after discovering malware on several systems attempting to transfer data to remote servers, according to Barbara Penland, the deputy director of communications at Oak Ridge. Even though e-mail access was restored late April 19, all attachments are automatically blocked, Penland told eWEEK. Internet access remains down, but the lab’s public facing Website remains in operation.

The restrictions will remain in place until lab officials and investigators are satisfied the situation is under control and manageable.

Similar to the recent data breach at RSA Security, Oak Ridge’s systems were compromised by a spear phishing attack. When two employees clicked on a link in a malicious e-mail, they were directed to a Website that exploited remote code execution vulnerability in Internet Explorer.

Microsoft had fixed the bug—identified by independent security researcher Steven Fewer at CanSecWest’s Pwn2Own hacking competition—in April’s massive Patch Tuesday update.

The malicious e-mail had been sent to about 530 employees, of which 57 believed it was a legitimate message sent from the human resources department and clicked on the link, according to Wired. The malware was designed to hide on the system and delete itself if it could not compromise the system.

The malware lay dormant for a week and then transmitted stolen data to a remote server. Administrators detected the transmission immediately and shut down and cleaned offending machines. Administrators discovered that other machines were also infected and made the decision on April 15 to shut down Internet access entirely to contain the damage.

Only a “few megabytes” of data were stolen before the lab discovered the breach, Thomas Zacharia, deputy director of the lab, told Wired. Zacharia declined to disclose what had been transferred, but confirmed that the data was encrypted.

It appears that business systems were targeted and the supercomputers and other sensitive networks remained secure.

Oak Ridge National Labs blamed the incident on an “advanced persistent threat,” (APT) a term commonly used by organizations to imply that the threat was so advanced that they would never have been able to protect themselves, Gunter Ollmann, vice-president of research at Damballa, told eWEEK. “In many cases, what is being called an APT is, in reality, just another cybercrime attack--motivated by the usual monetization and fraud aspects and using the same tools,” Ollmann said.

In actuality, APTs generally are campaigns lasting for a long period of time and using many infection vectors to compromise a network. Attackers generally target strategic data over a long period of time in an APT, Ollmann said.

This is not the first data breach at Oak Ridge, as attackers stole large amounts of data containing Social Security numbers for approximately 12,000 individuals in 2007. That attack also succeeded because employees opened an attachment on a malicious e-mail purporting to have information about a conference.

The root of the problem is people, and there is no patch for that, Anup Ghosh, founder and chief scientist of Invincea, told eWEEK. Cyber-criminals are increasingly targeting the end user by crafting e-mails designed to trick them in to clicking and viewing content.

“Curiosity has always and will always kill the cat—but now it also gets your network ‘pwned’ and your intellectual property exfiltrated,” Ghosh said.

The industry needs to change how the end-user is protected from ever-evolving threats by placing the user in a “protective bubble”—such as a virtualized system where user mistakes are isolated from the rest of the network, Ghosh said.

Located in Tennessee, Oak Ridge National Laboratory performs classified and unclassified research for federal agencies and departments on nuclear energy, chemical science and biological systems. Funded by the Department of Energy, the lab’s research includes analyzing malware, vulnerabilities and phishing attacks. Oak Ridge may have been one of the facilities at which computer scientists analyzed the Stuxnet worm to learn about its complex capabilities.

Other Department of Energy labs have sent experts to help decrypt the data and to assist with the investigation, Zacharia said.