Hack of Energy’s Pacific Northwest lab exploited zero-day vulnerability

The cyberattack that took the Energy Department’s Pacific Northwest National Laboratory offline on July 1 exploited a zero-day vulnerability to infect the systems with an Advanced Persistent Threat, lab CIO Jerry Johnson said July 12.

Although external e-mail and some internal communications have been restored, the lab’s website at www.pnl.gov remains unavailable and the Richland, Wash., lab still has no Internet access. Johnson said he hopes that remaining services will be restored by late Wednesday, July 13, or early Thursday.

“The landscape we are protecting is very large,” Johnson said. “Given the scope and complexity of our network and information systems, we have made excellent progress restoring services."


Related coverage:

Cyberattacks take two Energy labs offline

AntiSec hackers claim theft of military e-mails from Booz Allen


Pacific Northwest was one of two Energy Department labs that became aware of an attack on July 1. The Thomas Jefferson Laboratory National Accelerator Facility in Newport News, Va., also went offline for a period after the attack was discovered, but restored Internet services and began rebuilding its Web site, at www.jlab.org, last week.

Battelle Memorial Institute of Columbus, Ohio, which manages the Pacific Northwest Lab and several others for the Energy Department and the United Kingdom, also came under attack July 1. Corporate e-mail and outside network access was shut down over the holiday weekend but was restored on Tuesday, July 5.

Johnson said response teams at Pacific Northwest have found multiple malicious codes and tools as a result of the breach and PNNL is providing information on the attack to the Energy Department's Cyber Incident Response Center, which can provide information to other response groups.

“We are working with authorities on this matter and cannot comment or speculate about who the intruders are or might be,” he said.

He said the response team has two tasks:

  1. Identify and clean up any compromised systems and any malware installed by the attackers, including any latent malware that could become active at a later time.
  2. Remedy any weak points in our defenses exploited by the attackers.

The Pacific Northwest lab has about a staff of about 4,900, about 4,500 of them working at the Richland facility, with an annual budget of about $1 billion. Roughly half of its work is in national and homeland security analysis and research, with the most of the rest in the areas of energy, smart grid development and the environment. The lab routinely repels more than 4 million probes and breach attempts a day, and because of its cybersecurity analytics and research it provides incident response assistance to other agencies and law enforcement.

“Our network contains tens of thousands of devices and petabytes of software and information,” Johnson said. “We are capable of transmitting tens of billions of bits of information per second. We communicate with research collaborators and partners all over the world."

The complexity of the environment has complicated the response to the breach. But Johnson was able to say that the attack falls into the category of an Advanced Persistent Threat, a class that typically is intended to quietly infiltrate a system and operate below the radar while searching for information or awaiting instructions. It exploited a previously unknown vulnerability for which the vendor has since released a patch.

“Contrary to some trade press reports we've seen to date, this attack did not include a spear-phishing element,” he said.

 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Fri, Jul 15, 2011 hhhobbit

Good points but even better, what sub-system enabled the successful attack? If it was a web server running on Linux were they using SeLinux? If it came in via a browser, and they were using Firefox do they have a policy of not browsing until NoScript is plugged into the browser? I know a Math department at a University that has a firm policy of using only Firefox with NoScript on all of their computers: Windows, Linux, Sun Solaris, and Macintosh. IOW what we are after is something that may prevent this from happening again no matter what vulnerability exists if that is possible.

Wed, Jul 13, 2011

"It exploited a previously unknown vulnerability for which the vendor has since released a patch." What vendor? What product? Why withhold this information?

Wed, Jul 13, 2011

So, what kind of system got hacked? Windows? Linux? IBM Mainframe?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above