recommended reading

Attack on Energy lab computers was isolated and limited, officials say

A recent cyberattack against the Energy Department's Oak Ridge National Laboratory excised scientific, nonsensitive data from a collaborative work tool, according to lab officials.

Federal law enforcement and intelligence officers, in coordination with Homeland Security Department officials, are analyzing the source of the so-called advanced persistent threat, which currently seems to be an isolated event, DHS officials said Thursday evening.

The incident apparently began on April 7 when employees at Oak Ridge, in Tennessee, started receiving emails purportedly from colleagues in the human resources office, lab officials said. The messages included a link, which when clicked on installed malicious software that transferred internal data to the intruder, said Barbara Penland, the Tennessee lab's deputy director of communications.

Such "phishing" attacks, the first phase of an advanced persistent threat, mask emails as messages from colleagues, friends or acquaintances to lure unsuspecting victims into revealing personal information or downloading malware. This technique provides perpetrators with the key codes or data they need to enter an organization's network and silently search for the information they want.

This assault was directed at a system that housed nonsensitive explanations and listings of past and present projects under way at the lab's research divisions. The tool enables lab personnel, including its public affairs staff, to look up, for instance, the history of companies with which the institution is partnering.

Penland described it as "a system that we use for our daily work . . . If I wanted to write a story about biofuels, I could pull information."

Lab researchers are working on energy production, including nuclear fusion; national security technology such as biochemical sensors; the study of advanced particles using the world's most powerful electron microscope; and biological systems dealing with genetics and environmental data.

Scientists also are trying to develop stronger, lighter plastics and high-temperature superconductors with the help of a particle accelerator that is the most powerful source of neutrons on earth.

DHS officials, charged with protecting civilian networks, said they are watching for similar threats at other federal agencies but the Oak Ridge situation appears to be unique.

Homeland Security's U.S. Computer Emergency Readiness Team "is closely monitoring this incident and remains vigilant to detect similar activities that may be directed at other departments and agencies and will respond appropriately as necessary," DHS spokesman Chris Ortman said. "At this time, US-CERT does not have any confirmed reports of related activity on other government networks," Ortman added.

"Initial analysis suggests an intrusion originating from a social engineering exploitation, sometimes referred to as phishing," he said. "This particular tactic is common, which underscores the importance of practicing safe online habits, for example, not clicking on links embedded in emails received from unfamiliar email addresses."

Last month, an advanced persistent threat penetrated an RSA Security system containing information related to smart card IDs and key fob credentials used by many federal personnel.

Oak Ridge on Friday turned off Internet access at the lab as a preventive measure.

"We think it's an overabundance of caution," Penland said, adding that information technology specialists are repeatedly running network scans. "Because this particular malware collects information and extracts it if we keep that door shut it cannot do what it's supposed to do."

Lab officials also cut off external email and remote access to internal systems, but have since resumed exchanging emails that do not contain attachments.

The targeted technology was not connected to any databases containing classified or sensitive information, since the lab's networks are segregated, Penland said. As a result, Oak Ridge's supercomputer operations were unaffected and the lab's academic and industry partners could still run simulations on the machines. The lab is home to Jaguar, the nation's most powerful supercomputer and the world's second best performer, right behind a Chinese machine.

"Part of the security of our systems is that they are kept separate from each other," Penland said.

The lab, however, is still blocking employees from remotely accessing its internal networks through a so-called virtual private network. The move is aimed at preventing whoever is behind this month's attack from again logging on to the lab's networks through an outside computer.

Internet connectivity and remote access is expected to be reactivated next week.

Oak Ridge officials said the culprit -- who remains unknown -- got away with less than 1 gigabyte of data, the equivalent of about 1,000 e-books, or 4,000 photos.

"When I think about how many pictures my daughter has on her iPhone, it's really not a significant amount of data," Penland said.

Threatwatch Alert

Software vulnerability

Malware Has a New Hiding Place: Subtitles

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.