One of the main servers of the Oak Ridge National Laboratory (ORNL) was taken offline this past Friday (April 17) after the government lab was hit by a sophisticated cyberattack that tried to steal data and gain remote access to sensitive systems.
External traffic from the server that powers the website ORNL.gov was shut down at about 7 p.m. on Friday after officials noticed unusual Internet traffic that appeared to be stealing data from the ORNL servers, the Knoxville News Sentinel reported.
“We saw substantial activity, and rather than risk the exfiltration of data, we decided to take the domain offline,” Thomas Zacharia, ORNL deputy lab director, told SecurityNewsDaily. “We severed the domain’s connectivity to the external servers and created an air gap between our domain and the rest of the world.”
Located in Oak Ridge, Tenn., the ORNL is managed by the U.S. Department of Energy and conducts research into nuclear energy as well as chemical science, biological systems and national security.
The cyberattack was initially discovered 10 days earlier on April 7, when a batch of spear-phishing emails — carefully-crafted emails purporting to be from a genuine source, in this case the ORNL’s human resources department — were sent to 10 percent of the lab’s employees, approximately 530 computers.
Out of those who received the email, about 57 clicked on it, Zacharia said. The malware exploited a security flaw in Internet Explorer, and compromised two of the 57 systems. One of those two computers then spread the malware to other systems within the lab. (The flaw has since been patched.)
Although the threat was ultimately found on one computer, all 57 computers have been taken offline and quarantined for security purposes, Zacharia said.
Zacharia told SecurityNewsDaily that “very limited” data — “in the megabytes, not the gigabytes” — was stolen from the ORNL servers.
“We haven’t characterized the data that was taken. Given the size, we don’t expect it to be substantive,” he said.
Since the attack, email was also disabled “to minimize risk,” but Zacharia expects it to be restored today (April 19).
“We’re bringing it back in a carefully controlled way,” he said.
Zacharia would not speculate about the origin of the cyberattack, but he confirmed that it was an advanced persistent threat, a type of attack often deployed by Chinese government hackers.