Cyber Attack Hits Oak Ridge National Laboratory

Tuesday, April 19, 2011



Internet access and email systems where temporarily shut down at the Oak Ridge National Laboratory over the weekend as investigators look into events surrounding a reported cyber attack.

“We made the decision (at about midnight Friday) to close down the connection to the Internet to make sure there was no data exfiltrated from the lab while we got the system cleaned up,” said ORNL Director Thom Mason.

Details of the unauthorized access are few, but initial reports indicate that the targeted attack employed an email that may have contained malware.

“In this case, it was initiated with phishing email, which led to the download of some software that took advantage of a ‘zero day exploit,’ a vulnerability for which there is no patch yet issued,” Mason said.

Mason did not specify the software that was vulnerable to a zero day exploitation, but the event follows closely on the heels of a critical software update issued by Adobe for the company's Flash Player.

Adobe had acknowledged last week that the latest Flash vulnerability was being used in email-based attacks utilizing a Microsoft Word document with an embedded Flash file containing malware.

The recent RSA hack had utilized an Excel email attachment with an embedded Flash file that contained malware enabling the attackers to use a version of the Poison Ivy remote administration tool (RAT) to glean authentication credentials and gain access to other systems in the company's network.

“Well, if you look at this APT, it is much more sophisticated than what was being used a few years ago. Certainly what we’ve seen is very consistent with the RSA attack... Whoever is doing this attempts to get a foothold in the network system, works patiently and relatively quietly to try to expand that and is looking for specific types of information," explained Mason.

ORNL was previously hit by a cyber attack in 2007 which resulted in the loss of a large amount of data, and the move to suspend internet access can be chalked up to lessons learned from the Lab's previous experience.

When asked whether or not he could confirm reports that the attacks may have originated in China, Mason was cautious about making that attribution.

“We haven’t really completed the post-mortem on what happened, so it would be foolish to kind of speculate on where things were going. There was no significant exfiltration of data that we detected. There were attempts and small volumes of things that were suspicious in terms of Internet traffic," Mason replied.


Possibly Related Articles:
Phishing Zero Day malware Attack Exploits Headlines ORNL Oak Ridge National Laboratory
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.