A top United States federal lab was the victim of a "silent" cyberattack earlier this month, news outlets are reporting.
The Oak Ridge National Laboratory in Tennessee was the victim, according to Nextgov.com. The lab is an energy department laboratory that studies nuclear fusion, supercomputing, and other areas. Ironically, "one of the core competencies of the lab is cybersecurity research," according to a quote on Wired. The attack prompted a shutdown of e-mail and Internet access at the facility.
The attack vector used to break into Oak Ridge's network is known as an advanced persistent threat, or APT. Nextgov describes it thus: "APTs typically infiltrate a target by e-mailing its employees messages purportedly from legitimate associates that ask the employee to submit personal information, such as passwords, and then harvest this information to access the systems they are after. Once inside the network, the perpetrators often try to extract data -- perhaps proprietary designs or classified information."
Wired provides more details of the attack:
According to Zacharia, the intrusion came in the form of a spear-phishing email sent to lab employees on April 7. The e-mail, purportedly sent from the human resources department, discussed employee benefits and included a link to a malicious web page, where malware exploited the IE vulnerability to download additional code to users’ machines.
The attackers cast their net wide in the company, but hooked only two computers in the phishing scheme, Zacharia said. About 530 employees received the e-mail — out of about 5,000 workers — but only 57 people clicked on the malicious link in the correspondence. Out of this, only two machines got infected with the malware.
The lab began to block the malicious emails soon after they began coming in, but it was already too late. On April 11, administrators discovered a server had been breached when data began leaving the network. Workers cleaned up the infected system, but early Friday evening “a number of other servers suddenly [went] active with the malware,” Zacharia said. The malware had apparently laid dormant for a week before it awoke on those systems. That’s when the lab blocked internet access.
Zacharia said the malware “masked itself” on systems and was designed to erase itself if it tried to compromise a system and was unsuccessful.