Second DOE lab is likely victim of spear-phishing attack

Pacific Northwest National Laboratory has yet to restore email, Internet service five days after attack.

The Department of Energy's Pacific Northwest National Laboratory (PNNL) is working on restoring Internet connectivity and email services after being hit by a "sophisticated cyberattack" five days ago.

It is not immediately clear if the attack resulted in any data being stolen or compromised. A lab spokesman did not immediately respond to a request for comment, but a message on the spokesman's voicemail noted that Internet and email services were down because of a sophisticated attack.

PNNL which is funded by the Energy Department and managed by Battelle, conducts research in areas such as information security, nuclear non-proliferation and counterterrorism. As of Wednesday afternoon, PNNL's main website at www.pnnl.gov was unreachable. An error message noted the site was down due to "system maintenance."

According to several media reports, PNNL, based in Richland, Wash., discovered the attack July 1 and moved immediately to suspend email services and to disconnect itself from the Internet.

Those actions suggest that the PNNL was likely a victim of a spear-phishing attack in the same manner that the Oak Ridge National Laboratory (ORNL) in Tennessee was a few weeks ago, said Anup Ghosh, founder and chief scientist of security vendor Invincea.

Oak Ridge, which is also a DOE lab, took identical measures after discovering someone attempting to pilfer data out of its networks in April. According to the laboratory, the breach resulted when some employees clicked on a malicious link in a spear-phishing email message.

The email message, which appeared to have originated from ORNL's human resources group, infected a handful of computers with a sophisticated data stealing Trojan. The malware exploited an unpatched flaw in Microsoft's Internet Explorer software, and was designed to search for and steal technical information from Oak Ridge.

Though PNNL has not said how it was attacked, chances are that it too was felled by spear-phishing, Ghosh said.

Spear-phishing attacks involve the use of emails that are personalized, localized and designed to appear like they originated from someone the recipient knows and trusts. The emails look authentic and are typically targeted at high-level executives or employees with privileged access to corporate systems and data.

Despite heightened awareness and better employee training, about 5% to 20% of spear-phishing emails still get opened, Ghosh said. Often, all it takes for the attackers to succeed is one compromised desktop, he said.

"What they are after is not that user machine. They simply use it as a beachhead from which to move inside the network," he said. Once inside a network, attackers usually are able to move with the level of access that the compromised user has. "There tend not to be any barriers," Ghosh said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies