Hackers have penetrated an upper layer of data at the Oak Ridge National Laboratory (ORNL), a multiprogram science and technology lab managed for the U.S. Department of Energy by UT-Battelle.
Scientists and engineers at ORNL work to increase the availability of clean and abundant energy, restore and protect the environment, and contribute to national security, in addition to isotope production.
ORNL Director Thom Mason sent a memo to the 3,800 staff members at the facility noting the nature of the attack.
“The Laboratory has been the target of a sophisticated cyber attack that now appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country,” Mason noted. “Our cyber security staff has been working nights and weekends to understand the nature of this attack.”
Security On, Hackers In
“Our review to date has shown that while every security system at ORNL was in place and in compliance, the hackers potentially succeeded in gaining access to one of the Laboratory’s non-classified databases that contained personal information of visitors to the Laboratory between 1990 and 2004,” Mason explained. “At this point we have determined that the thieves made approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven ‘phishing’ e-mails, all of which at first glance appeared legitimate.”
One of the fake e-mails notified employees of a scientific conference, while another pretended to notify employees of a complaint on behalf of the Federal Trade Commission.
“In each case, the employee was instructed to open an attachment for further information,” Mason noted. “At present we believe that about 11 staff opened the attachments, which enabled the hackers to infiltrate the system and remove data.”
Hacker Goals Not Revealed
Mason did not reveal what the hacker or hackers may have been after, whether it might have been simple identity information or deeper access to ORNL data.
“Reconstructing this event is a very tedious and time consuming effort that likely will take weeks, if not longer, to complete. In the meantime we will be attempting to notify by letter all persons who potentially had stolen personal information such as name, date of birth, and social security number,” Mason explained. “Meanwhile, because of the sensitive nature of this event, the laboratory will be unable for some period to discuss further details until we better understand the full nature of this attack.”
Social Engineering at Work
“I think there’s a little bit of discrepancy in the way people use the term ‘phishing,'” Craig Schmugar, threat research manager for McAfee Avert Labs, told TechNewsWorld.
“Generally, phishing is considered more of the pure social engineering — soliciting people to go to some place and willingly hand over their information,” he explained. “This situation was more of a case social engineering wrapped in an e-mail message that would get people to run an attachment. And once it was run, malicious code is installed on a machine, and that code goes out and effectively extracts information or gives remote attackers a gateway into an organization so they can steal what they want.”
Overall, Schmugar says more targeted and personalized attacks are on the rise — and they’re becoming more sophisticated.
Fishing for Better Bait
Schmugar noted that some social engineering attacks start small to get initial information that can then be used to create additional, more legitimate-looking social engineering attacks — in a sense, a hacker can phish for better bait. With better bait, hackers can go after bigger and better fish.
“The hacking side is easier to defend against. You can put software defenses in place and lock down people’s machines, but what’s really hard to defend is the social engineering — because that’s attacking people and their gullibility,” Schmugar noted. “I’ve heard quotes from hackers saying it’s much easier to get into someplace than reverse engineering software to find a crack in it,” he added.
Breaking Into Corporations
“We’re finding that social engineering tactics are still a very successful means of getting into corporations,” Mike Haro, a senior security analyst for Sophos, told TechNewsWorld. “The trend is consistently high, but I wouldn’t say it’s any higher that it was this quarter or last year. But it’s definitely a means from which targeted attacks take place.”
The ORNL has posted a page at for employees and visitors that will keep them up-to-date with the investigation and potential identity theft issues.