Oak Ridge National Lab shuts down Internet, email after cyberattack

DOE laboratory says it was victim of an Advanced Persistent Threat designed to steal technical data

The Oak Ridge National Laboratory, home to one of the world's most powerful supercomputers , has been forced to shut down its email systems and all Internet access for employees since late last Friday, following a sophisticated cyberattack.

The restrictions on Internet access will remain in place until those investigating the attack know for sure that it has been completely contained, said Barbara Penland, ORNL's director of communications.

The lab is expected to restore external email service sometime on Wednesday, however no attachments will be allowed for the time being.

Penland said several other national laboratories and government organizations were targeted in the same attacks, which appear to have been launched earlier this month.

The measures at Oak Ridge were implemented late on Friday night after initial investigations showed that those behind the attacks were attempting to steal technical data from lab's systems and send it to an external system, Penland said.

So far, though, it appears that no significant amount of data has been stolen. Penland said investigators believe that whoever was behind the attacks managed to steal less than 1GB of data.

Penland said that there is nothing to show yet where the attacks originated from, or who might have been behind them.

The attacks were launched through phishing emails that were sent to about 573 lab employees. The emails were disguised to appear like it came from the lab's HR department and purported to inform employees of some benefits related changes.

The emails contained a link that employees were asked to click on for further information.

Some employees appear to have clicked on the link resulting in an information-stealing malware program being downloaded on their systems.

Penland did not offer any more details on the malware itself. But a story in Knoxnews.com quoted ORNL director Thom Mason as saying the malware program exploited a zero-day vulnerability in Internet Explorer.

The story quoted Mason as describing the attack as a sophisticated Advanced Persistent Threat (APT), designed to gain a foothold on the lab's networks and then to quietly look for and steal specific types of information.

"If you look at this APT, it is much more sophisticated than what was being used a few years ago," Mason told Knoxnews.com. "Certainly what we've seen is very consistent with the RSA attack," he said referring to an attack on RSA a few weeks ago that resulted in data relating to the company's SecurID two-factor authentication technology being stolen.

Almost all of the lab's 200 IT staff are currently engaged in either investigating the attacks or ensuring that other systems remain available, Penland said. Staff from other national laboratories, are also helping in the investigations, she said. At the moment, the attacks are the subject of an IT investigation only and not a criminal one.

Penland said that the attacks appear to have been directed at Oak Ridge's business systems. The lab's supercomputers, including the world's most powerful system, the 1.75-petaflop Jaguar, have been unaffected by the attacks and continue to operate normally.

As of this afternoon, the attacks appear to have been contained, she added. "Keeping the Internet down is a precaution to make sure that nothing gets out as we investigate further."

1 2 Page
Join the discussion
Be the first to comment on this article. Our Commenting Policies