A targeted assault of phishing emails opened the door for hackers to glean the sensitive information of up to 12,000 visitors to the Oak Ridge National Laboratory, officials said Thursday.
But it appears the attackers' goals were actually much loftier.
According to a message from lab director Thom Mason to the organization's 4,200 employees, the recent attack on the Knoxville, Tenn.-based Oak Ridge was "part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country."
Peter Cassidy, secretary general of the Anti-Phishing Working Group, told SCMagazine.com today that his group has witnessed a dramatic rise in socially engineered phishing and crimeware attacks intended to steal trade secrets. Labs such as Oak Ridge, which conducts research for the Department of Energy in the areas of science, the environment and national security, are no exception.
"If they have specific questions about the research that Americans are organizing in those labs, it's kind of useful information," he said. "It allows them to respond with their own technology and to build on the ideas that are intercepted from their mining of the data through phishing attacks."
What these cybercriminals ended up stealing were the names, Social Security numbers and birth dates of every person who visited the lab from 1990 to 2004, Mason said. So far, there is no evidence any of the data has been used to conduct fraud.
The attackers delivered about 1,100 legitimate-looking emails to staff that tried to dupe them into opening a malicious attachment, Mason said. The bogus messages included one that notified the recipient about a complaint on behalf of the Federal Trade Commission; another announced an upcoming scientific conference.
Eleven employees clicked on the attachments, enabling "the hackers to infiltrate the system and remove data," Mason wrote.
That works out to a 0.1 percent success rate, Ken Dunham, director of global response for iSight Partners, a risk mitigation and mitigation company, told SCMagazineUS.com today.
"It takes only one – not even 11 – to compromise a network," he said. "It's clear that there were ongoing, multiple attempts here."
He said social engineering is the "cornerstone" of a successful phishing attack.
"Today it is very hard to tell truth from lie," Dunham said. "They are very legitimate appearing and they are very customized. These are personalized for you. It's your own Hallmark custom scam, just for you."
Mason said in his message to employees that they should never click on email attachments or links that appear in messages coming from unknown or untrusted parties.
"While our hope is that no one would fall for these kinds of tricks from hackers, we believe there is an ongoing benefit to re-emphasizing staff awareness about cybersecurity issues," Mason wrote.
Dunham said organizations must also build strong access control policies, which includes restricting the privileges of certain employees. So even if that person's machine were to be infected, the remote attacker could not launch the malicious code.
"If you can't do installs, you can't do installs," he said. "It doesn't matter if you're a virus or not."
Ted Julian, vice president of marketing and strategy at AppSecInc, a database security firm, said the lab breach highlights the ineffectiveness of protecting the entryways into an organization.
"As a result, companies need to focus on securing the valuable data directly," he said, adding that this includes assessing where it lies, performing vulnerability scans and applying encryption. "The notion of continuing to defend perimeters alone, it's just obviously not working."
Mason said the investigation promises to take weeks to complete.
"Each year the laboratory is forced to put in place new and more sophisticated security systems in an attempt to stop thieves who are equally determined to break into the cyber network," he wrote.
