The Tennessee-based lab, which receives funds from the U.S. Department of Energy to conduct research in nuclear energy for national security purposes, was breached after nearly 60 employees clicked on a malicious link contained in emails promising information about their benefits package.
As a result, malware exploiting an Internet Explorer (IE) zero-day vulnerability made its way onto two machines. Microsoft has since patched the flaw.
The attack – which a lab director described as an advanced persistent threat (APT) – was detected almost immediately, Barbara Penland, a lab spokeswoman, told SCMagazineUS.com on Thursday.
Network tools detected and monitored the malware, and when it activated, it was blocked from accessing the internet and external email, she said.
"We still had internal email because we knew the malware was searching for and exfiltrating technical information, so we shut the door," Penland said.
As much as one gigabyte of data was siphoned, but it was encrypted, she said.
Security experts at the lab believe this was a cyberespionage attack because of the sophistication of the malware used, the technical information it sought to capture and the use of an unpatched vulnerability.
“This is just the tip of the iceberg.”
–Harry Sverdlove, CTO at Bit9
The lab remains disconnected from the web and likely won't be operational until next week, Penland said. The IT staff has been busy scanning portable devices, such as thumb drives, as part of the cleanup process, she said.
Some employees needing internet access are working from home and they are using fax machines and telephones more than usual.
"We're making due," she said.
The breach appears similar to an attack that recently infected security firm RSA's network. In that attack, phishing emails were used to dupe employees into downloading data-stealing malware. In that case, though, the bait was an Excel spreadsheet attachment disguising an Adobe Flash zero-day vulnerability.
"We are seeing a large increase in spear phishing attacks," Harry Sverdlove, CTO at Waltham, Mass.-based Bit9, a vendor of endpoint protection solutions, told SCMagazineUS.com on Thursday.
The culprits, who are likely state-sponsored, are obtaining high click-through rates of more than 10 percent, he said.
"They are doing research, finding out how to customize their attacks and essentially walking in through the front door," Sverdlove said.The source of the Oak Ridge attack is unknown, Penland said.
"This is not a high school kid trying to break in for fun," she said, adding that other national laboratories and government organizations were targeted at the same time.
ORNL was hit by a similar attack in 2007.
Penland said the lab's defenses typically are successful at stopping attacks.
A 20-petaflop [a thousand trillion operations per second] supercomputer, which will be the world's largest when it is completed, is housed at the lab. It was untouched by the attack.
Photo courtesy of Oak Ridge National Laboratory