recommended reading

Labor’s Toxic Exposure Website Serves Up Spyware to Energy's Nuclear Workers

Kheng Guan Toh/

A type of cyber breach that hacks website visitors has struck a Labor Department site visited by Energy Department employees who have worked with nuclear weapons, according to researchers who identified the virus.

Labor officials acknowledged one of their sites was compromised. 

Researchers at security provider Invincea, tipped off by an unnamed individual on Tuesday night, identified a "watering hole" assault on Labor's “Site Exposure Matrices” public website. The database lists nuclear-related illnesses linked to Energy facilities  and toxicity levels at each location that might have sickened employees developing atomic weapons, according to the Institute of Medicine. The website is intended to help Labor caseworkers and former Energy workers determine appropriate compensation.

"We can infer the target of the attack are [Energy Department] folks in a watering hole style attack compromising one federal department to attack another," Anup Ghosh, Invincea's founder and  a former program manager at the Defense Advanced Research Projects Agency, told Nextgov.

Watering hole attacks exploit existing flaws in websites to implant malicious software that then infiltrates the computers of people visiting the site. In this instance, Ghosh concluded, the hackers took advantage of an error in older versions of the Internet Explorer browser.

Labor spokesman Jesse Lawder said in an email that on Wednesday, "Labor confirmed that a website related to a DoL program appeared to be compromised." The agency immediately took the site offline and began investigating the incident with "appropriate internal and external authorities" to identify and minimize potential impacts.  

Similar intrusions recently hit sites belonging to the Council on Foreign Relations, NBC and renewable energy technology supplier Capstone Turbine Corp, according to various researchers. NBC later reported strong evidence linking that particular campaign to China. 

Ghosh said it was likely that nothing unique to Labor’s database made it more vulnerable than any other large organization's site. 

Atlantic Media, which owns The National Journal Group and Nextgov, disclosed earlier this year that was distributing malware to visitors. Ghosh, who documented that episode at the time, said on Wednesday, "No one is immune to these attacks." 

He added, "The federal enterprise isn't much different from corporate enterprises in terms of using older versions of Windows and Internet Explorer. As a result, these attacks are likely to be successful unless the target is using more advanced forms of browser protection software such as virtual containers.”

While the method of infection might not be considered "sophisticated," the targeting and persistence of the adversary, after infection, could indicate this was a sophisticated attacker, Ghosh said. 

Microsoft, Apple and Facebook officials admitted their employees fell prey to watering hole attacks while visiting a software developer website. 

Right now, there is no evidence internal Labor data and services were manipulated or lost, according to agency officials. "The department will continue the investigation and will ensure that appropriate precautions and safeguards remain in place to protect our information and information systems" Lawder added. 

Incidentally, about a month ago, the Institute of Medicine released a study that criticized this nuclear illness database for, among other things, poor navigation, insufficient details, and inconsistent descriptions for particular locations and jobs.

Independently, researchers at Alienvault Labs seem to have happened upon the same Labor Department penetration, according to the company's blog. They suggest that techniques used to raid Labor’s site match those "used by a known Chinese actor called DeepPanda."   

(Image via Kheng Guan Toh/

Threatwatch Alert

Cyber espionage / Spear-phishing

Russia-Linked Hacker Unit Targets French Presidential Election

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.