The federal facility was hacked and data was siphoned from a server on Friday, federal workers were forced to disconnect internet access.

Oak Ridge National Laboratory

Only a “Few megabytes” of data were stolen before the lab discovered the breach and cut net access.  Oak Ridge is located in Tennessee and conducts classified and unclassified energy and national security work.  Funded by the U.S Department of Energy it is managed by UT-Batelle, a private company.

According to Thomas Zacharia, deputy director of the lab, the attack against the lab was “sophisticated” and compared it to so-called “advanced persistent threat” attacks that hit the security firm “RSA” last month and Google last year.

The intrusion cam in the form of a spear-phishing email sent to lab employees on April 7.  The email was sent as an email from the human resources department, discussed employee benefits and included a link to a malicious web site, where the malware exploited IE vulnerability to download additional code to users’ machines.

The code that was used exploited an IE zero day vulnerability that Microsoft then patched on April 12.  The exploit was describe as a critical remote-code execution vulnerability., with allows attackers to install malware on a user’s machine if he/she visits a infected website.

About 530 employees received the email but only 57 clicked on it allowing it to hook 2 computers in the scheme.  The lab took precautions as soon as they were alerted to the issue and began blocking emails as soon as they began to come in.

On April 11, administrators discovered that a server had been breached when data began leaving he network.  As workers cleaned up the infected system, early Friday evening, “a number of other servers went active with the malware.”  The malware had laid dormant for a week before it awoke on those systems.  At that point the lab took steps and BLOCKED INTERNET access.

The LAB is still working to this date to characterized the malware so they can be certain they have completely eradicated it.

Zacharia, was unable to say what the attackers stole or where the data went.  He would also not say whether NSA encryption experts were amount those assisting in the investigation. Knoxnews confirmed through Microsofts, public relations firm that they were assisting in the probe on the attack.

This attack is the 2nd such attack since 2007 when a similar spear phising attack allowed hackers to access a non-classified data base at the lab and gain access to thousands of name, SSN records and birthdates belonging to anyone who had visted the lab between 1990 and 2004.

Source: Wired, Microsoft, Knoxnews