recommended reading

Energy Industry Website Hacks Resemble Compromises to a Labor Site for Nuclear Workers


Computer breaches that are infecting visitors on energy sector websites might be linked to a May compromise of a Labor Department webpage that attracts former Energy Department nuclear personnel, cyber researchers say.

Traces of the malicious operation that hit Labor's “Site Exposure Matrices” public website, which helps Labor caseworkers compensate former Energy Department workers suffering from nuclear-related illnesses, have been discovered on many industry sites.

“The Department of Labor compromise occurred before the compromise of the energy-related websites,” Emmanuel Tacheau, a Cisco threat researcher, said in an email on Friday.  “We know that they share both timing and the target -- the energy sector. Both attacks also employed a near identical rendition of the Internet Explorer exploit described in CVE-2013-1347," the name of a software flaw. 

These "watering hole" attacks took advantage of weaknesses in Web software, in this instance Microsoft Internet Explorer, to implant malicious software that can then infiltrate the computers of site users.  

Tacheau said the Labor site intrusion is consistent with watering hole attacks “which attempt to deliver malware to the specific sector that would ordinarily visit those pages. In the case of the DoL compromise, the affected pages dealt with nuclear-related content. The malware connects to a remote command and control server and it is assumed the intent is to gather forensics and steal sensitive information.”

Researchers have not been able to determine a direct connection between the two campaigns, he said.

The assaults on the firms came to light later in May, Tacheau wrote in a blog post earlier this week. The victims include an industrial supplier to the energy, nuclear and aerospace sectors, and various investment and capital companies that specialize in energy.  Other targets were an oil and gas exploration firm with operations in Africa and Brazil, and a natural gas power station in the United Kingdom.  

Encounters with the malware on the corporate sites "resulted from either direct browsing to the compromised sites or via seemingly legitimate and innocuous searches. This is consistent with the premise of a watering-hole style attack that deliberately compromises websites likely to draw the intended targets," Tacheau wrote. 

Researchers at security providers Invincea and Alienvault Labs were the first to discover the Labor site intrusion this spring. The database lists diseases associated with Energy facilities and details toxicity levels at each location that might have sickened employees developing atomic weapons, according to the Institute of Medicine. 

Alienvault specialists, at the time, suggested that techniques used to strike Labor’s site matched those "used by a known Chinese actor called DeepPanda."   

Explore the future of technology in government at Nextgov Prime Oct. 15-16 in Washington. Registration for federal employees is free. 

(Image via Norebbo/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.