U.S. Lab Falls Victim to Phishing Attack

One of the most common forms of malware infestation is people clicking on links in e-mails from unknown sources. Now it appears that not even a major U.S. research lab is immune.

The Oak Ridge National Laboratory yesterday disclosed it has been wrestling with a “sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country.”

The attacks have been ongoing since late October, it said.

In a disclosure on its site, the lab, run by the U.S. Department of Energy, said a hacker illegally gained access to its computers by sending staff e-mails that appeared to be legitimate official communications.

When employees either opened an attachment or clicked on an embedded link in the e-mail, they installed a Trojan that surreptitiously copied and retrieved information.

The lab said the attack began Oct. 29, and that it believes data was stolen from a database used for visitors to the facility. As a result, personal information belonging to personnel visiting from 1990 to 2004 may have been stolen, including the names, social security numbers and birthdates.

No classified information appears to have been lost, the lab said.

On Monday, Lab Director Thom Mason disclosed in an e-mail to staff that after weeks of research, he believed that thieves made “approximately 1,100 attempts” to steal data. According to the letter, he said they used a sophisticated strategy that involved sending staff seven targeted phishing e-mails, all of which at initially appeared legitimate.

One of the fake e-mails notified employees of a scientific conference, while another pretended to alert the employee to a complaint on behalf of the Federal Trade Commission. In both cases, the employee was instructed to open an attachment for further information.

The lab also warned anyone who visited between 1990 and 2004 to check their personal information with major credit check agencies Experian, Equifax and TransUnion.

An Oak Ridge National Laboratory spokesman declined to comment further on the issue.

Avivah Litan, senior security researcher with Gartner, said the scary part about the breach was its “inside job”-like nature.

“It’s a little frightening that the phishers got that list to send a targeted e-mail,” she told InternetNews.com. “I don’t think there’s cause for panic because they’ve said nothing has been compromised. But it’s very troublesome that phishers got a list of employees to target.”

“It makes you wonder what other holes are out there,” she said.

News Around the Web