Internet access and email systems where temporarily shut down at the Oak Ridge National Laboratory over the weekend as investigators look into events surrounding a reported cyber attack.
“We made the decision (at about midnight Friday) to close down the connection to the Internet to make sure there was no data exfiltrated from the lab while we got the system cleaned up,” said ORNL Director Thom Mason.
Details of the unauthorized access are few, but initial reports indicate that the targeted attack employed an email that may have contained malware.
“In this case, it was initiated with phishing email, which led to the download of some software that took advantage of a ‘zero day exploit,’ a vulnerability for which there is no patch yet issued,” Mason said.
Mason did not specify the software that was vulnerable to a zero day exploitation, but the event follows closely on the heels of a critical software update issued by Adobe for the company's Flash Player.
Adobe had acknowledged last week that the latest Flash vulnerability was being used in email-based attacks utilizing a Microsoft Word document with an embedded Flash file containing malware.
The recent RSA hack had utilized an Excel email attachment with an embedded Flash file that contained malware enabling the attackers to use a version of the Poison Ivy remote administration tool (RAT) to glean authentication credentials and gain access to other systems in the company's network.
“Well, if you look at this APT, it is much more sophisticated than what was being used a few years ago. Certainly what we’ve seen is very consistent with the RSA attack... Whoever is doing this attempts to get a foothold in the network system, works patiently and relatively quietly to try to expand that and is looking for specific types of information," explained Mason.
ORNL was previously hit by a cyber attack in 2007 which resulted in the loss of a large amount of data, and the move to suspend internet access can be chalked up to lessons learned from the Lab's previous experience.
When asked whether or not he could confirm reports that the attacks may have originated in China, Mason was cautious about making that attribution.
“We haven’t really completed the post-mortem on what happened, so it would be foolish to kind of speculate on where things were going. There was no significant exfiltration of data that we detected. There were attempts and small volumes of things that were suspicious in terms of Internet traffic," Mason replied.