Federal research facility Oak Ridge National Laboratory shut down its
Internet access and email systems after an IE exploit compromised the
network.
After attackers compromised several machines at federal research
facility Oak Ridge National Laboratory, administrators temporarily
shut down all Internet access and e-mail systems to contain the
damage. An investigation is currently underway.
The laboratory’s IT administrators made the decision to disconnect the
machines from the Internet after discovering malware on several
systems attempting to transfer data to remote servers, according to
Barbara Penland, the deputy director of communications at Oak Ridge.
Even though e-mail access was restored late April 19, all attachments
are automatically blocked, Penland told eWEEK. Internet access remains
down, but the lab’s public facing Website remains in operation.
The restrictions will remain in place until lab officials and
investigators are satisfied the situation is under control and
manageable.
Similar to the recent data breach at RSA Security, Oak Ridge’s systems
were compromised by a spear phishing attack. When two employees
clicked on a link in a malicious e-mail, they were directed to a
Website that exploited remote code execution vulnerability in Internet
Explorer.
Microsoft had fixed the bug—identified by independent security
researcher Steven Fewer at CanSecWest’s Pwn2Own hacking competition—in
April’s massive Patch Tuesday update.
The malicious e-mail had been sent to about 530 employees, of which 57
believed it was a legitimate message sent from the human resources
department and clicked on the link, according to Wired. The malware
was designed to hide on the system and delete itself if it could not
compromise the system.
The malware lay dormant for a week and then transmitted stolen data to
a remote server. Administrators detected the transmission immediately
and shut down and cleaned offending machines. Administrators
discovered that other machines were also infected and made the
decision on April 15 to shut down Internet access entirely to contain
the damage.
Only a “few megabytes” of data were stolen before the lab discovered
the breach, Thomas Zacharia, deputy director of the lab, told Wired.
Zacharia declined to disclose what had been transferred, but confirmed
that the data was encrypted.
It appears that business systems were targeted and the supercomputers
and other sensitive networks remained secure.
Oak Ridge National Labs blamed the incident on an “advanced persistent
threat,” (APT) a term commonly used by organizations to imply that the
threat was so advanced that they would never have been able to protect
themselves, Gunter Ollmann, vice-president of research at Damballa,
told eWEEK. “In many cases, what is being called an APT is, in
reality, just another cybercrime attack--motivated by the usual
monetization and fraud aspects and using the same tools,” Ollmann
said.
In actuality, APTs generally are campaigns lasting for a long period
of time and using many infection vectors to compromise a network.
Attackers generally target strategic data over a long period of time
in an APT, Ollmann said.
This is not the first data breach at Oak Ridge, as attackers stole
large amounts of data containing Social Security numbers for
approximately 12,000 individuals in 2007. That attack also succeeded
because employees opened an attachment on a malicious e-mail
purporting to have information about a conference.
The root of the problem is people, and there is no patch for that,
Anup Ghosh, founder and chief scientist of Invincea, told eWEEK.
Cyber-criminals are increasingly targeting the end user by crafting
e-mails designed to trick them in to clicking and viewing content.
“Curiosity has always and will always kill the cat—but now it also
gets your network ‘pwned’ and your intellectual property exfiltrated,”
Ghosh said.
The industry needs to change how the end-user is protected from
ever-evolving threats by placing the user in a “protective
bubble”—such as a virtualized system where user mistakes are isolated
from the rest of the network, Ghosh said.
Located in Tennessee, Oak Ridge National Laboratory performs
classified and unclassified research for federal agencies and
departments on nuclear energy, chemical science and biological
systems. Funded by the Department of Energy, the lab’s research
includes analyzing malware, vulnerabilities and phishing attacks. Oak
Ridge may have been one of the facilities at which computer scientists
analyzed the Stuxnet worm to learn about its complex capabilities.
Other Department of Energy labs have sent experts to help decrypt the
data and to assist with the investigation, Zacharia said.
No comments:
Post a Comment