DOE Lab Shuts Down Web Access After Cyber-Attack

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.,

Cyber-attackers hit a US Department of Energy research lab last week, forcing a shut down of external links

Essential computer services remain offline nearly a week after cyber-attackers hit a US Department of Energy laboratory in the state of Washington.

The Energy Department’s Pacific Northwest National Laboratory in Richland, Washington, shut down Internet access and email services following a sophisticated cyber-attack, according to a July 5 post on the facility’s Twitter account. Officials became aware of the cyber-attack on July 1, Greg Koller, the lab’s spokesperson, told the Associated Press.

Officials shut down most of the computer services for employees, including email, SharePoint, wireless network and Internet access, immediately after discovering the breach while the IT staff worked through the holiday weekend to restore services. The lab also blocked all external attempts to reach the Website and blocked all incoming email requests.

“Full access will be restored once we can repel further attacks,” according to the Twitter post.

‘System Maintenance’ Shutdown

As of July 6, email and the laboratory Website remained inaccessible. The Website displayed a message that it was undergoing system maintenance. Internal email was apparently restored July 5, according to local CBS affiliate KEPR. Full access is not expected to be restored until the end of the week.

Koller could not immediately be reached for additional details on the incident. A pre-recorded message on his voicemail described the incident as a “sophisticated cyber-attack” against the laboratory.

The attack on PNNL appears to be part of a larger attack occurring around the same time that included another national laboratory in Virginia and the Ohio headquarters of Battelle Memorial Institute, which operates PNNL, KEPR reported. It does not appear as if any classified information was compromised at this time, although the cyber-security team is still investigating.

The PNNL breach is just the latest in a string of attacks targeting government agencies and contractors. The Oak Ridge National Laboratory in Tennessee shut down its email systems and Internet access on April 15 after a spear-phishing attack. When two employees clicked on a link in a malicious email, they were directed to a Website that exploited a remote code execution vulnerability in Internet Explorer, which Microsoft had patched days earlier in its Patch Tuesday update. The Oak Ridge attackers were after sensitive information, Lab officials had said at the time.

Shortly after the Oak Ridge breach, other national labs and government agencies reported an increase in phishing attacks trying to compromise their systems.

Spear-Phishing Target

The latest round of attacks on national laboratories caught the attention of Rafal Los, enterprise security evangelist for HP Software. While there is not a lot of information regarding the attacks themselves, it is clear attackers entered the network and some data was breached or stolen, Los wrote on his blog. The fact that email and Internet services were shut down seem suggestive of the fact that PNNL was hit by a spear-phishing attack similar to what happened at Oak Ridge.

Los said the attacks are most likely targeting Energy Sciences Network (ESnet), a high-speed, high-resiliency network that interconnects major Department of Energy laboratories including Oak Ridge, PNNL, FermiLab and the Y12 National Security Complex.

“It’s not too far of a stretch to think that the attackers, whomever they are, are likely after something within the DOE network – something probably classified,” Los said. Attackers were after credentials and network access and it is likely they have managed to harvest some through these attacks, Los speculated, noting that attackers used SQL injection to obtain several login credentials from a Y12 National Security Website in June.

PNNL easily fends off four million cyber-attacks a day, most of which are simple to detect and defend against, but this attack was more serious than usual, Koller told local AM radio station KONA.

“These are well funded, very persistent individuals looking for intellectual property or national security secrets and so they’re very dedicated to trying to attack,” Jerry Johnson, PNNL’s chief information officer, told KEPRTV.

PNNL is a research and development facility working in areas of nuclear science, information analysis and cyber-security.