recommended reading

Labor’s Toxic Exposure Website Serves Up Spyware to Energy's Nuclear Workers

Kheng Guan Toh/

A type of cyber breach that hacks website visitors has struck a Labor Department site visited by Energy Department employees who have worked with nuclear weapons, according to researchers who identified the virus.

Labor officials acknowledged one of their sites was compromised. 

Researchers at security provider Invincea, tipped off by an unnamed individual on Tuesday night, identified a "watering hole" assault on Labor's “Site Exposure Matrices” public website. The database lists nuclear-related illnesses linked to Energy facilities  and toxicity levels at each location that might have sickened employees developing atomic weapons, according to the Institute of Medicine. The website is intended to help Labor caseworkers and former Energy workers determine appropriate compensation.

"We can infer the target of the attack are [Energy Department] folks in a watering hole style attack compromising one federal department to attack another," Anup Ghosh, Invincea's founder and  a former program manager at the Defense Advanced Research Projects Agency, told Nextgov.

Watering hole attacks exploit existing flaws in websites to implant malicious software that then infiltrates the computers of people visiting the site. In this instance, Ghosh concluded, the hackers took advantage of an error in older versions of the Internet Explorer browser.

Labor spokesman Jesse Lawder said in an email that on Wednesday, "Labor confirmed that a website related to a DoL program appeared to be compromised." The agency immediately took the site offline and began investigating the incident with "appropriate internal and external authorities" to identify and minimize potential impacts.  

Similar intrusions recently hit sites belonging to the Council on Foreign Relations, NBC and renewable energy technology supplier Capstone Turbine Corp, according to various researchers. NBC later reported strong evidence linking that particular campaign to China. 

Ghosh said it was likely that nothing unique to Labor’s database made it more vulnerable than any other large organization's site. 

Atlantic Media, which owns The National Journal Group and Nextgov, disclosed earlier this year that was distributing malware to visitors. Ghosh, who documented that episode at the time, said on Wednesday, "No one is immune to these attacks." 

He added, "The federal enterprise isn't much different from corporate enterprises in terms of using older versions of Windows and Internet Explorer. As a result, these attacks are likely to be successful unless the target is using more advanced forms of browser protection software such as virtual containers.”

While the method of infection might not be considered "sophisticated," the targeting and persistence of the adversary, after infection, could indicate this was a sophisticated attacker, Ghosh said. 

Microsoft, Apple and Facebook officials admitted their employees fell prey to watering hole attacks while visiting a software developer website. 

Right now, there is no evidence internal Labor data and services were manipulated or lost, according to agency officials. "The department will continue the investigation and will ensure that appropriate precautions and safeguards remain in place to protect our information and information systems" Lawder added. 

Incidentally, about a month ago, the Institute of Medicine released a study that criticized this nuclear illness database for, among other things, poor navigation, insufficient details, and inconsistent descriptions for particular locations and jobs.

Independently, researchers at Alienvault Labs seem to have happened upon the same Labor Department penetration, according to the company's blog. They suggest that techniques used to raid Labor’s site match those "used by a known Chinese actor called DeepPanda."   

(Image via Kheng Guan Toh/

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.