Oak Ridge National Lab shuts down Internet, email after cyberattack

DOE laboratory says it was victim of an Advanced Persistent Threat designed to steal technical data

The Oak Ridge National Laboratory, home to one of the world's most powerful supercomputers, has been forced to shut down its email systems and all Internet access for employees since late last Friday, following a sophisticated cyberattack.

The restrictions on Internet access will remain in place until those investigating the attack know that for sure that it has been completely contained, said Barbara Penland, ORNL's director of communications.

The lab is expected to restore external email service sometime on Wednesday, however no attachments will be allowed for the time being.

Penland said several other national laboratories and government organizations were targeted in the same attacks, which appear to have been launched earlier this month.

The measures at Oak Ridge were implemented late on Friday night after initial investigations showed that those behind the attacks were attempting to steal technical data from lab's systems and send it to an external system, Penland said.

So far, though, it appears that no significant amount of data has been stolen. Penland said investigators believe that whoever was behind the attacks managed to steal less than 1GB of data.

Penland said that ther e is nothing to show yet where the attacks originated from or who might have been behind it.

The attacks were launched through phishing emails that were sent to some 573 lab employees. The emails were disguised to appear like it came from the lab's HR department and purported to inform employees of some benefits related changes.

The emails contained a link that employees were asked to click on for further information.

Some employees appear to have clicked on the link resulting in an information-stealing malware program being downloaded on their systems.

Penland did not offer any more details on the malware itself. But a story in Knoxnews.com quoted ORNL director Thom Mason as saying the malware program exploited a zero-day vulnerability in Internet Explorer.

The story quoted Mason as describing the attack as a sophisticated Advanced Persistent Threat (APT), designed to gain a foothold on the lab's networks and then to quietly looking for and steal specific types of information.

"If you look at this APT, it is much more sophisticated than what was being used a few years ago," Mason told Konxnews.com. "Certainly what we've seen is very consistent with the RSA attack," he said referring to an attack on RSA a few weeks ago that resulted in data relating to the company's SecurID two-factor authentication technology being stolen.

Almost all of the lab's 200 IT staff are currently engaged in either investigating the attacks or ensuring that other systems remain available, Penland said. Staff from other national laboratories, are also helping in the investigations, she said. At the moment, the attacks are the subject of an IT investigation only and not a criminal one.

Penland said that the attacks appear to have been directed at ORNL's business systems. The lab's supercomputers, including the world's most powerful system, the 1.75-petaflop Jaguar, have been unaffected by the attacks and continue to operate normally.

As of this afternoon, the attacks appear to have been contained, she added. "Keeping the Internet down is a precaution to make sure that nothing gets out as we investigate further," she said.

The email and Internet shutdown has forced employees to rely on fax machines and phone calls to communicate with the outside world since last Friday, she said.

APTs of the sort described by Mason are highly targeted, low intensity attacks designed to conduct espionage and to steal information from high-value targets. The attacks, many of which are believed to originate in China, were initially targeted at U.S. Air Force and government networks.

Over the last 18 months or so, a growing number of private companies have reported being victims of APTs as well. The most notable was Google, which last year accused China of launch APT attacks against it to steal its IP.

More recently, security vendor RSA claimed that it was the victim of an APT attack after intruders broke into its networks and stole data on its SecurID two-factor authentication technology.

Oak Ridge National Laboratory's status as a Department of Energy funded lab, and the work it is doing especially in the area of supercomputers, makes it a prime target for an APT attack, if that indeed is what happened at the lab, said Rich Mogull, an analyst with Securosis.

The breach described by ORNL certainly appears to fit into the classic mold of an APT attack in which attackers first try to compromise systems using highly targeted phishing mails and then drop zero-day malware to snoop on and steal data, Mogull said

But until more details are released it is hard to know for sure, other analysts said.

"The term 'Advanced Persistent Threat' is definitely being overhyped and used as an excuse way too often, as in 'Well, it wasn't really our fault it was an Advanced Persistent Threat'," said John Pescatore an analyst at Gartner. "Advanced simply means it got past your defenses and persistent means it took you too long to detect it once it got in."

Pete Lindstrom, an analyst with Spire Security, said the tern APT is often used these days as a face saving measure. "The definition of APT is so sufficiently muddled that anyone can claim APT and be right in some sense and wrong in another," he said. "The proof is in the defenses that could have prevented it -- if they are fundamental security measures then the notion of APT has no meaning."

This is the second time that Oak Ridge has fallen victim to a phishing attack. In 2007, hackers gained access to a non-classified database after infecting internal systems via phishing emails.

That compromise resulted in the personal data, including Social Security numbers visitors to the laboratory, being compromised.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackingdata securitysecurityOak Ridge National Laboratorydata protection

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?