recommended reading

Energy Industry Website Hacks Resemble Compromises to a Labor Site for Nuclear Workers


Computer breaches that are infecting visitors on energy sector websites might be linked to a May compromise of a Labor Department webpage that attracts former Energy Department nuclear personnel, cyber researchers say.

Traces of the malicious operation that hit Labor's “Site Exposure Matrices” public website, which helps Labor caseworkers compensate former Energy Department workers suffering from nuclear-related illnesses, have been discovered on many industry sites.

“The Department of Labor compromise occurred before the compromise of the energy-related websites,” Emmanuel Tacheau, a Cisco threat researcher, said in an email on Friday.  “We know that they share both timing and the target -- the energy sector. Both attacks also employed a near identical rendition of the Internet Explorer exploit described in CVE-2013-1347," the name of a software flaw. 

These "watering hole" attacks took advantage of weaknesses in Web software, in this instance Microsoft Internet Explorer, to implant malicious software that can then infiltrate the computers of site users.  

Tacheau said the Labor site intrusion is consistent with watering hole attacks “which attempt to deliver malware to the specific sector that would ordinarily visit those pages. In the case of the DoL compromise, the affected pages dealt with nuclear-related content. The malware connects to a remote command and control server and it is assumed the intent is to gather forensics and steal sensitive information.”

Researchers have not been able to determine a direct connection between the two campaigns, he said.

The assaults on the firms came to light later in May, Tacheau wrote in a blog post earlier this week. The victims include an industrial supplier to the energy, nuclear and aerospace sectors, and various investment and capital companies that specialize in energy.  Other targets were an oil and gas exploration firm with operations in Africa and Brazil, and a natural gas power station in the United Kingdom.  

Encounters with the malware on the corporate sites "resulted from either direct browsing to the compromised sites or via seemingly legitimate and innocuous searches. This is consistent with the premise of a watering-hole style attack that deliberately compromises websites likely to draw the intended targets," Tacheau wrote. 

Researchers at security providers Invincea and Alienvault Labs were the first to discover the Labor site intrusion this spring. The database lists diseases associated with Energy facilities and details toxicity levels at each location that might have sickened employees developing atomic weapons, according to the Institute of Medicine. 

Alienvault specialists, at the time, suggested that techniques used to strike Labor’s site matched those "used by a known Chinese actor called DeepPanda."   

Explore the future of technology in government at Nextgov Prime Oct. 15-16 in Washington. Registration for federal employees is free. 

(Image via Norebbo/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.