Labor’s Toxic Exposure Website Serves Up Spyware to Energy's Nuclear Workers

A type of cyber breach that hacks website visitors has struck a Labor Department site visited by Energy Department employees who have worked with nuclear weapons, according to researchers who identified the virus.

Labor officials acknowledged one of their sites was compromised. 

Researchers at security provider Invincea, tipped off by an unnamed individual on Tuesday night, identified a "watering hole" assault on Labor's “Site Exposure Matrices” public website. The database lists nuclear-related illnesses linked to Energy facilities  and toxicity levels at each location that might have sickened employees developing atomic weapons, according to the Institute of Medicine. The website is intended to help Labor caseworkers and former Energy workers determine appropriate compensation.

"We can infer the target of the attack are [Energy Department] folks in a watering hole style attack compromising one federal department to attack another," Anup Ghosh, Invincea's founder and  a former program manager at the Defense Advanced Research Projects Agency, told Nextgov.

Watering hole attacks exploit existing flaws in websites to implant malicious software that then infiltrates the computers of people visiting the site. In this instance, Ghosh concluded, the hackers took advantage of an error in older versions of the Internet Explorer browser.

Labor spokesman Jesse Lawder said in an email that on Wednesday, "Labor confirmed that a website related to a DoL program appeared to be compromised." The agency immediately took the site offline and began investigating the incident with "appropriate internal and external authorities" to identify and minimize potential impacts.  

Similar intrusions recently hit sites belonging to the Council on Foreign Relations, NBC and renewable energy technology supplier Capstone Turbine Corp, according to various researchers. NBC later reported strong evidence linking that particular campaign to China. 

Ghosh said it was likely that nothing unique to Labor’s database made it more vulnerable than any other large organization's site. 

Atlantic Media, which owns The National Journal Group and Nextgov, disclosed earlier this year that NationalJournal.com was distributing malware to visitors. Ghosh, who documented that episode at the time, said on Wednesday, "No one is immune to these attacks." 

He added, "The federal enterprise isn't much different from corporate enterprises in terms of using older versions of Windows and Internet Explorer. As a result, these attacks are likely to be successful unless the target is using more advanced forms of browser protection software such as virtual containers.”

While the method of infection might not be considered "sophisticated," the targeting and persistence of the adversary, after infection, could indicate this was a sophisticated attacker, Ghosh said. 

Microsoft, Apple and Facebook officials admitted their employees fell prey to watering hole attacks while visiting a software developer website. 

Right now, there is no evidence internal Labor data and services were manipulated or lost, according to agency officials. "The department will continue the investigation and will ensure that appropriate precautions and safeguards remain in place to protect our information and information systems" Lawder added. 

Incidentally, about a month ago, the Institute of Medicine released a study that criticized this nuclear illness database for, among other things, poor navigation, insufficient details, and inconsistent descriptions for particular locations and jobs.

Independently, researchers at Alienvault Labs seem to have happened upon the same Labor Department penetration, according to the company's blog. They suggest that techniques used to raid Labor’s site match those "used by a known Chinese actor called DeepPanda."   

(Image via Kheng Guan Toh/Shutterstock.com)