DOE Lab Hacked

No classified information was lost but the personal information of visitors may have been stolen from the Oak Ridge National Laboratory.

By Thomas Claburn InformationWeek December 7, 2007 03:48 PM

Oak Ridge National Laboratory, a U.S. Department of Energy facility, said on Thursday that its computer network had been comprised by a spear-phishing attack.

"A hacker illegally gained access to ORNL computers by sending staff e-mails that appeared to be official legitimate communications," ORNL said in a statement. "When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory."

ORNL said that no classified information was lost but that the personal information of visitors may have been stolen. Visitors to the laboratory between 1990 and 2004 may have had their personal information, such as Social Security number and date of birth, stolen as a result of the data theft.

The breach occurred on Oct. 29, 2007. ORNL said there's no evidence that the stolen information has been used for identity theft fraud, but nonetheless recommended that anyone who visited the lab between 1990 and 2004 place a fraud alert on their credit file.
A spokesperson for ORNL wasn't immediately available.

Spear-phishing -- sending e-mail messages that appear to come from a business or associate with whom the recipient has a relationship in order to dupe the recipient into clicking on a link to a malicious site or content -- is a major concern for the government because it has proven to be an effective means of cyberespionage. It works because it relies on human gullibility to bypass perimeter-based security measures.

More than 90% of the serious breaches in which sensitive information is taken from government agencies involve spear phishing, according to Alan Paller, research director for the SANS Institute. In a phone interview prior to the release of the SANS Top 20 Internet Security Risks of 2007, Paller spoke of a chief information security officer of a federal agency who discovered that his computer was sending information to China. The official had been the target of spear phishing. "Even the people who are responsible for security aren't secure," said Paller.

According to a report released earlier this week by the Anti-Phishing Working Group, the number of password-stealing Trojan keyloggers detected rose for the fourth month in a row in August, for a total of 294 unique variants. The working group also said that the number of unique phishing reports submitted to the group in August was 25,624, an increase from the 2,500 reports in July.

Last year, InformationWeek published a report about the prevalence of compromised computers (bots) at government agencies and laboratories. Data provided by Trend Micro suggested that thousands of bots were operating from within government organizations and affiliated entities.