Hack of Energy’s Pacific Northwest lab exploited zero-day vulnerability
The cyberattack that took the Energy Department’s Pacific Northwest National Laboratory offline on July 1 exploited a zero-day vulnerability to infect the systems with an Advanced Persistent Threat, lab CIO Jerry Johnson said July 12.
Although external e-mail and some internal communications have been restored, the lab’s website at www.pnl.gov remains unavailable and the Richland, Wash., lab still has no Internet access. Johnson said he hopes that remaining services will be restored by late Wednesday, July 13, or early Thursday.
“The landscape we are protecting is very large,” Johnson said. “Given the scope and complexity of our network and information systems, we have made excellent progress restoring services."
Cyberattacks take two Energy labs offline
AntiSec hackers claim theft of military e-mails from Booz Allen
Pacific Northwest was one of two Energy Department labs that became aware of an attack on July 1. The Thomas Jefferson Laboratory National Accelerator Facility in Newport News, Va., also went offline for a period after the attack was discovered, but restored Internet services and began rebuilding its Web site, at www.jlab.org, last week.
Battelle Memorial Institute of Columbus, Ohio, which manages the Pacific Northwest Lab and several others for the Energy Department and the United Kingdom, also came under attack July 1. Corporate e-mail and outside network access was shut down over the holiday weekend but was restored on Tuesday, July 5.
Johnson said response teams at Pacific Northwest have found multiple malicious codes and tools as a result of the breach and PNNL is providing information on the attack to the Energy Department's Cyber Incident Response Center, which can provide information to other response groups.
“We are working with authorities on this matter and cannot comment or speculate about who the intruders are or might be,” he said.
He said the response team has two tasks:
- Identify and clean up any compromised systems and any malware installed by the attackers, including any latent malware that could become active at a later time.
- Remedy any weak points in our defenses exploited by the attackers.
The Pacific Northwest lab has about a staff of about 4,900, about 4,500 of them working at the Richland facility, with an annual budget of about $1 billion. Roughly half of its work is in national and homeland security analysis and research, with the most of the rest in the areas of energy, smart grid development and the environment. The lab routinely repels more than 4 million probes and breach attempts a day, and because of its cybersecurity analytics and research it provides incident response assistance to other agencies and law enforcement.
“Our network contains tens of thousands of devices and petabytes of software and information,” Johnson said. “We are capable of transmitting tens of billions of bits of information per second. We communicate with research collaborators and partners all over the world."
The complexity of the environment has complicated the response to the breach. But Johnson was able to say that the attack falls into the category of an Advanced Persistent Threat, a class that typically is intended to quietly infiltrate a system and operate below the radar while searching for information or awaiting instructions. It exploited a previously unknown vulnerability for which the vendor has since released a patch.
“Contrary to some trade press reports we've seen to date, this attack did not include a spear-phishing element,” he said.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.