14 DAY TRIAL // The Oak Ridge National Laboratory (ORNL) has temporarily shut down Internet access across its facilities after discovering that two computers were infected with malware as a result of a targeted email attack.
The Tennessee-based national laboratory funded by the U.S. Department of Energy conducts classified research in the fields of nuclear energy and national security.
Thomas Zacharia, the lab's deputy director, told Wired the attack was "sophisticated" and described it as an advanced persistent threat (APT).
It all began with rogue emails purporting to be from the human resources department being sent to 530 employees. The lab employs around 5,000 workers, so about 10% of its staff was targeted.
Out of the employees who received rogue emails, 57 clicked on the infected link contained within and were taken to a page that loaded an Internet Explorer exploit.
The exploit targeted a vulnerability patched by Microsoft last week, but at the time of the attack, on April 7, the flaw still had zero-day status.
Eventually only two computers were infected with the malware, which laid dormant for a week before activating itself and starting to siphon data out of the network.
Fortunately, the lab's security systems were able to detect the suspicious behavior very quickly and the Internet was shut down across the facility.
According to Zacharia, the attackers only managed to steal a few megabytes of data. The information was siphoned out in encrypted form and its destination hasn't yet been determined.
In addition, the malware was designed to delete itself if it tried to infect a system without success, suggesting a high degree of sophistication.
The value of the data, the sophistication of the malware, the exploitation of a zero-day vulnerability, the use of encrypted communication, are all indicative of a carefully planned cyber espionage attack.