Spear Phishing in Tennessee

Looking at the evolution of cyber attacks over the years, beginning with the “Morris” Internet worm in 1988, and up to the present, one thing that stands out is the increase in the professionalism of the attacks.   By this, I don’t mean the technical sophistication of the attacks — though that has grown, too — but rather in the overall effectiveness of the operation.  Early attacks were often carried out as a sort of intellectual exercise (as the Morris worm seemingly was), or as pranks by socially- and hygienically-challenged adolescents.  Today, many attacks are part of organized criminal enterprises (to steal credit card numbers, for example), or are at least suspected of being mounted by governments.  More than ever, there is an “arms race” between the attackers and the security people charged with protecting systems.

Even highly sophisticated target organizations have been successfully attacked.  According to a post on the “Threat Level” blog at Wired,  the latest victim of a targeted attack was the Oak Ridge National Laboratory [ORNL], in Tennessee.

The Oak Ridge National Laboratory was forced to disconnect internet access for workers on Friday after the federal facility was hacked, and administrators discovered data being siphoned from a server.

The attack was an instance of “spear phishing“.  Phishing is a general term for attacks that attempt, often via E-mail, to elicit personal information (e.g.,  credit card numbers, bank account details, or passwords) from users under false colors.  Spear phishing is used to describe attacks that are targeted at particular individuals or groups (often, employees of a given organization).   The ORNL attack was a fairly standard example.

According to [Thomas] Zacharia [deputy director of ORNL], the intrusion came in the form of a spear-phishing email sent to lab employees on April 7. The e-mail, purportedly sent from the human resources department, discussed employee benefits and included a link to a malicious web page, where malware exploited the IE vulnerability to download additional code to users’ machines.

The IE vulnerability used was patched by Microsoft on April 12 [MS11-018]; this incidentally highlights that today’s attackers typically need only a short window of opportunity to mount a successful attack.   The E-mail message was sent to slightly more than 10% of the lab’s ~5,000 staff, and only 57 clicked on the link, but that was enough for the malware payload to install itself and gain a foothold on ORNL’s network.

The lab says that only a “few megabytes” of data were successfully extracted by the attackers; however, the incident is undoubtedly embarrassing, given that cyber security is one of the lab’s specialties.

The lab’s science and technology research includes work on nuclear nonproliferation and isotope production. The lab, ironically, also does cybersecurity research focusing on, among other things, researching malware and vulnerabilities in software and hardware as well as phishing attacks.

The incident is still being investigated.

Comments are closed.

%d bloggers like this: