What we can Learn from the Oak Ridge Attack
Written by Jeff Orloff on April 25, 2011
While the Oak Ridge National Laboratory’s may be famous for its role in the Mahanttan Project, recent cyber attacks have brought the Department of Energy’s research center back into the news again. According to Barbara Penland, a spokesperson for the lab, Internet service and access to external email was brought down by the lab as part of preventative measures to secure the network’s sensitive data against a spear phishing attack launched against the lab on April 7th.
The attack targeted lab employees disguised as a message sent by the Human Resources Department that contained a link exploiting a vulnerability in Internet Explorer. Microsoft has claimed that this vulnerability was fixed on April 12th, one day after Oak Ridge noticed the attack against them.
“We ended up with an excess of 570 of those emails coming in to different people and we had some folks who clicked on the email,” Penland stated. “One or two of them managed to get through into the system.”
After tracking the attack for a week, the IT department at Oak Ridge decided that the best thing to do was shut down access. Luckily, the attack was not able to infiltrate any of the Lab’s classified networks that are not connected to the public Internet.
Penland stated that service to the Internet should be restored early this week and email access is one again up however attachments have been blocked for the time being.
What this means for Email Administrators
The Oak Ridge lab is obviously a huge target housing some of the United States’ most secretive research projects in nuclear energy, biological systems as well as a great deal of research for the military and Department of Homeland Security. Aside from being such a lucrative target, it is also thought to be one of the most secured facilities there is.
What this recent attack, actually the second major attack against the lab in the last five years, shows us, is that security of our email systems cannot be taken for granted. Oftentimes, those responsible for email at small to medium sized organizations have a set it and forget it attitude towards security. Due to limited budgets, limited staff and requirements that are more critical to the business plan smaller companies simply don’t have the staff, time or money to fight the threat of cybercrime. The thought that a solid anti-virus solution and a firewall will adequately protect an organization is far too common.
When it comes to email, administrators are faced with a growing number of threats that come from:
- Botnets delivering SPAM
- Phishing attacks against employees
- Blended threats using malicious links
- Social engineering like the one at Oak Ridge
- Outbound spam being sent from your network
The problems with these attacks are that a traditional firewall does little to address many of these threats and unless the attack utilizes malware with a known signature file, anti-virus protection won’t identify the attack until it is too late.
To offer the best defenses against email borne threats, a comprehensive solution needs to be put in place to fight SPAM, malware attacks and prevent false positives. Email administrators also need to look to solutions that help educate users against phishing and spear phishing attacks that co-workers commonly fall victim to.
Continued threat
Over the past year and a half, private businesses have seen an increase in attacks similar to the one launched against the Oak Ridge lab. Google and RSA both claimed to be victims of Advanced Persistent Threat attacks to steal sensitive data from their networks as well. As this attack trend has proven to be successful when launched via email against some of the most highly secured targets, we can expect that it will be used against organizations with less security measures in place.
SMEs offer not only the benefit of being low-hanging fruit to such attackers, but many of them do business with larger companies or even government agencies. Being able to compromise a smaller organization that does business with a larger target can offer attackers another in road to relay an attack against the more lucrative objective.
Being that email continues to be one of the most effective methods for delivering malicious code it is up to the email administrator to work towards securing this compromise vector.
April 25th, 2011 at 5:53 pm
I realize that this is counter-intuitive to the instant speed of e-mails but perhaps for more security-intensive groups like this, there ought to be some kind of “operator” for their email system, a human eye who can look at larger communications like these and determine their legitimacy before sending them out. Obviously person-to-person emails will not go through, to maintain privacy, but if 570 emails hit my company all at once, I’d like to know if the material contained is purely factual and professional.
April 25th, 2011 at 6:26 pm
You are right to predict that the knowhow used in the Oak Ridge lab attack will be reused in attacks against less secure networks. If the admisn of these less secure networks take the time to read about the intricacies of the attack, probably they stand a better chance but, honestly, I doubt they will have the time to read this. Welcome, hackers!
April 26th, 2011 at 10:22 am
Wow this is really amazing. Oak Ridge National Laboratory – the home to one of the world’s most powerful supercomputers, has been attacked and penetrated.
This just proves that no security system is perfect.
And I kinda pity the employee that triggered the malware. He / she should supposed to know whether the file is harmful or not.