The Oak Ridge National Laboratory has warned that its computer systems have been infiltrated by one or more hackers who skirted system's security to gain access to personal information on the lab's visitors. The information was then used in a phishing scheme that attempted to convince victims to open a malicious e-mail attachment. The lab has not commented on the attackers' suspected motives
How Much is 'Free' Costing You? Learn how DaveRamsey.com saw a 567% uplift in ROI with Omniture. This complimentary guide and webinar cover the most important factors in selecting an analytics solution. Download Now.
Hackers have penetrated an upper layer of data at the Oak Ridge National Laboratory (ORNL), a multiprogram science and technology lab managed for the U.S. Department of Energy by UT-Battelle.
Scientists and engineers at ORNL work to increase the availability of clean and abundant energy, restore and protect the environment, and contribute to national security, in addition to isotope production.
ORNL Director Thom Mason sent a memo to the 3,800 staff members at the facility noting the nature of the attack.
"The Laboratory has been the target of a sophisticated cyber attack that now appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country," Mason noted. "Our cyber security staff has been working nights and weekends to understand the nature of this attack."
Security On, Hackers In
"Our review to date has shown that while every security system at ORNL was in place and in compliance, the hackers potentially succeeded in gaining access to one of the Laboratory's non-classified databases that contained personal information of visitors to the Laboratory between 1990 and 2004," Mason explained. "At this point we have determined that the thieves made approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven 'phishing' e-mails, all of which at first glance appeared legitimate."
One of the fake e-mails notified employees of a scientific conference, while another pretended to notify employees of a complaint on behalf of the Federal Trade Commission.
"In each case, the employee was instructed to open an attachment for further information," Mason noted. "At present we believe that about 11 staff opened the attachments, which enabled the hackers to infiltrate the system and remove data."
Hacker Goals Not Revealed
Mason did not reveal what the hacker or hackers may have been after, whether it might have been simple identity information or deeper access to ORNL data.
"Reconstructing this event is a very tedious and time consuming effort that likely will take weeks, if not longer, to complete. In the meantime we will be attempting to notify by letter all persons who potentially had stolen personal information such as name, date of birth, and social security number," Mason explained. "Meanwhile, because of the sensitive nature of this event, the laboratory will be unable for some period to discuss further details until we better understand the full nature of this attack."
Social Engineering at Work
"I think there's a little bit of discrepancy in the way people use the term 'phishing,'" Craig Schmugar, threat research manager for McAfee Avert Labs, told TechNewsWorld.
"Generally, phishing is considered more of the pure social engineering -- soliciting people to go to some place and willingly hand over their information," he explained. "This situation was more of a case social engineering wrapped in an e-mail message that would get people to run an attachment. And once it was run, malicious code is installed on a machine, and that code goes out and effectively extracts information or gives remote attackers a gateway into an organization so they can steal what they want."
Overall, Schmugar says more targeted and personalized attacks are on the rise -- and they're becoming more sophisticated.
Fishing for Better Bait
Schmugar noted that some social engineering attacks start small to get initial information that can then be used to create additional, more legitimate-looking social engineering attacks -- in a sense, a hacker can phish for better bait. With better bait, hackers can go after bigger and better fish.
"The hacking side is easier to defend against. You can put software defenses in place and lock down people's machines, but what's really hard to defend is the social engineering -- because that's attacking people and their gullibility," Schmugar noted. "I've heard quotes from hackers saying it's much easier to get into someplace than reverse engineering software to find a crack in it," he added.
Breaking Into Corporations
"We're finding that social engineering tactics are still a very successful means of getting into corporations," Mike Haro, a senior security analyst for Sophos, told TechNewsWorld. "The trend is consistently high, but I wouldn't say it's any higher that it was this quarter or last year. But it's definitely a means from which targeted attacks take place."
The ORNL has posted a page at for employees and visitors that will keep them up-to-date with the investigation and potential identity theft issues.
Network Security: Gullible Users Are the Weakest Link November 29, 2007
Gone are the days of large-scale worms that targeted operating systems, according to a recent SANS institute report that ranks the top computer security threats facing IT. Instead, malware makers have targeted their attacks at client-side vulnerabilities and rely on user gullibility. Greater education is needed, but simply telling people not to click on e-mailed links may not be enough for enterprise IT managers.
Related Stories
Whippersnapper Hacker Springs Touch From Apple Slammer October 15, 2007
Apple's latest iPod, the touch, looks like an iPhone, works like an iPhone and now has been hacked like an iPhone. A hacker known as "AriX," who says he's 13 years old, has written an application that allows the Web-enabled touch to use third-party applications. However, "At the end of the day, once you hack the device you have to realize there is the potential for things going awry," said analyst Josh Martin.
Related News Alerts
More by Chris Maxcer
The Gphone That Could Catch My Eye November 20, 2009
Rumors are cropping up that Google is preparing to sell its own Gphone -- an Android handset using Google-branded hardware. There are some reasons to doubt it will happen, of course, but the possibility is intriguing. What would Google have to build to make something worthy of an iPhone fan's attention?
Apple's House Rules Won't Be the Death of App Development November 13, 2009
Facebook's iPhone app is one of the most popular wares the App Store has ever carried. But its developer, Joe Hewitt, says he's through with it, stating that Apple's review policies are starting a bad precedent for other platforms. However, good apps from talented developers will always find platforms, and Apple's policies won't prevent that from happening. They may even help.
Let's Give the iPhone Hackers a Big Round of Applause November 06, 2009
It's safe to say most Apple customers are satisfied living in the walled-off ecosystem that the company has created for products like the iPhone. Still, it's good to know that it is possible -- and relatively easy, even -- to bust through those walls if one should ever want to. The work of iPhone hackers is appreciated even by those who've never felt the jailbreak itch.
Headline Feeds
Talkback: 
