DOE's Oak Ridge lab hit by malware

[PGT]

funny that we haven't heard about this on the news......

Oak Ridge still without Internet access due to malware attack

Apr 25, 2011

Internet access to the Energy Department’s Oak Ridge National Laboratory remains shut down for a second week as technicians work to identity, isolate and clean up malicious code delivered to the lab’s network through a successful spear phishing attack.

“We hope to get Internet back by the end of the week,” said Barbara H. Penland, the lab’s deputy director of communications.

Penland said the lab was the target of a phishing attack that began on April 7, and both e-mail and Internet access were shut down April 15 as a result of the infection. E-mail was restored on April 19 and the lab initially hoped to have Internet access back by the end of last week, but clean up work remains ongoing at the Tennessee lab.

“We’re being cautious, since the whole purpose of the malware is to exfiltrate data,” Penland said. “We want to be completely sure before we get the Internet back up that it has been completely eradicated.”

The malicious code is being described as “very sophisticated,” but little more has been said about it so far. “Our technical people have learned quite a bit about it and how it works, but they are not sharing the details,” Penland said. “We hope to have more information by the end of the week.”

Oak Ridge is managed for the Energy Department by the University of Tennessee and Battelle LLC, and conducts basic and applied research in clean energy and other areas. It also is home to Jaguar, a recently upgraded Cray XT5-based supercomputer rated one of the fastest in the world.

More than 500 phishing e-mails were received at lab addresses earlier this month that appeared to have originated from the benefits department. When several people clicked on a malicious link for more information, a computer with access to the internal network allowed an infection.

The attack began one day after the Homeland Security Department’s US-CERT issued an advisory warning against targeted phishing attacks, and Penland confirmed that a number of other Energy labs and agencies had been targeted by similar attacks.

The lab’s public Web site at www.ornl.gov has remained online throughout the incident because that domain is not on the infected network. But, “not all of our sites are up,” Penland said.

“We are still able to function fairly well,” internally, she said, but workers who need access to the Internet have to work from outside the lab. Remote access to the Oak Ridge network also remains down, and outside workers and contractors still do not have access to the laboratory’s resources.

http://gcn.com/Articles/2011/04/25/Oak- ... spx?Page=2

[Sabre]

As pretty much is always the case, people are the weakest link in security

[complacent]

i wouldn't be surprised in the least to see many more sites disconnecting from the commercial internet. users are too big a vulnerability.

i can patch against anything except stupid.

[PGT]

the comment about "spear phishing" leads me to believe it was top level mgmt.

[complacent]

the comment about "spear phishing" leads me to believe it was top level mgmt.

i have no doubt. my original statement still stands.

[Sabre]

the comment about "spear phishing" leads me to believe it was top level mgmt.

90% of a big (think 80k people) company's data leaks/spills happen by the top 10% of management for that company. Not made up numbers sadly.

[Mr Kleen]

[PGT]

most federal security types think IDS and dual factor auth are an adequate security posture on their system.

[Sabre]

What makes it funny is that NONE of the above is infallible. IDS's are easily by passed and two factor authentication (If it's based on something like SecurID) has been broken.