Attack on Energy lab computers was isolated and limited, officials say

A recent cyberattack against the Energy Department's Oak Ridge National Laboratory excised scientific, nonsensitive data from a collaborative work tool, according to lab officials.

Federal law enforcement and intelligence officers, in coordination with Homeland Security Department officials, are analyzing the source of the so-called advanced persistent threat, which currently seems to be an isolated event, DHS officials said Thursday evening.

The incident apparently began on April 7 when employees at Oak Ridge, in Tennessee, started receiving emails purportedly from colleagues in the human resources office, lab officials said. The messages included a link, which when clicked on installed malicious software that transferred internal data to the intruder, said Barbara Penland, the Tennessee lab's deputy director of communications.

Such "phishing" attacks, the first phase of an advanced persistent threat, mask emails as messages from colleagues, friends or acquaintances to lure unsuspecting victims into revealing personal information or downloading malware. This technique provides perpetrators with the key codes or data they need to enter an organization's network and silently search for the information they want.

This assault was directed at a system that housed nonsensitive explanations and listings of past and present projects under way at the lab's research divisions. The tool enables lab personnel, including its public affairs staff, to look up, for instance, the history of companies with which the institution is partnering.

Penland described it as "a system that we use for our daily work . . . If I wanted to write a story about biofuels, I could pull information."

Lab researchers are working on energy production, including nuclear fusion; national security technology such as biochemical sensors; the study of advanced particles using the world's most powerful electron microscope; and biological systems dealing with genetics and environmental data.

Scientists also are trying to develop stronger, lighter plastics and high-temperature superconductors with the help of a particle accelerator that is the most powerful source of neutrons on earth.

DHS officials, charged with protecting civilian networks, said they are watching for similar threats at other federal agencies but the Oak Ridge situation appears to be unique.

Homeland Security's U.S. Computer Emergency Readiness Team "is closely monitoring this incident and remains vigilant to detect similar activities that may be directed at other departments and agencies and will respond appropriately as necessary," DHS spokesman Chris Ortman said. "At this time, US-CERT does not have any confirmed reports of related activity on other government networks," Ortman added.

"Initial analysis suggests an intrusion originating from a social engineering exploitation, sometimes referred to as phishing," he said. "This particular tactic is common, which underscores the importance of practicing safe online habits, for example, not clicking on links embedded in emails received from unfamiliar email addresses."

Last month, an advanced persistent threat penetrated an RSA Security system containing information related to smart card IDs and key fob credentials used by many federal personnel.

Oak Ridge on Friday turned off Internet access at the lab as a preventive measure.

"We think it's an overabundance of caution," Penland said, adding that information technology specialists are repeatedly running network scans. "Because this particular malware collects information and extracts it if we keep that door shut it cannot do what it's supposed to do."

Lab officials also cut off external email and remote access to internal systems, but have since resumed exchanging emails that do not contain attachments.

The targeted technology was not connected to any databases containing classified or sensitive information, since the lab's networks are segregated, Penland said. As a result, Oak Ridge's supercomputer operations were unaffected and the lab's academic and industry partners could still run simulations on the machines. The lab is home to Jaguar, the nation's most powerful supercomputer and the world's second best performer, right behind a Chinese machine.

"Part of the security of our systems is that they are kept separate from each other," Penland said.

The lab, however, is still blocking employees from remotely accessing its internal networks through a so-called virtual private network. The move is aimed at preventing whoever is behind this month's attack from again logging on to the lab's networks through an outside computer.

Internet connectivity and remote access is expected to be reactivated next week.

Oak Ridge officials said the culprit -- who remains unknown -- got away with less than 1 gigabyte of data, the equivalent of about 1,000 e-books, or 4,000 photos.

"When I think about how many pictures my daughter has on her iPhone, it's really not a significant amount of data," Penland said.