Three U.S. National Labs Attacked on July 1: Same Mode As RSA

On July 1, 2011, Battelle Memorial Institute suffered a "sophisticated" attack against its network which also impacted Pacific Northwest National Lab and one other lab which wasn't named. Both PNNL and Battelle shut down their email servers and their Internet access as a precaution. As of 0200 03JUL2011, Battelle's website was still down (battelle.org) while PNNL.gov was functioning normally.
Oak Ridge National Lab suffered a similar attack on April 11 which involved a spear phishing email with an human resources related theme that exploited a 0-day in the IE browser. Battelle manages several Department of Energy labs including:
  • Brookhaven National Laboratory
  • Idaho National Laboratory 
  • National Renewable Energy Laboratory
  • Oak Ridge National Laboratory
  • Pacific Northwest National Laboratory
  • Lawrence Livermore National Laboratory
EMC's RSA SecurID division was compromised in a similar way in early March, 2011 via a spear phishing attack with a HR-related theme. In RSA's case it exploited an Adobe Flash 0-day. While Battelle and its managed national labs are all RSA SecurID customers, there is no publicly available information on the ORNL, PNNL, or Battelle attacks which suggests that the SecurID breach played a role at this time.

UPDATE (0300Z 3 JUL 2011):
Since my initial post I've discovered that on Feb 25, 2011 the Dept of Energy issued a "Preliminary notice of violation" to a division of Battelle - Battelle Energy Alliance - which involved three Severity Level I violations, and one Severity Level II violation associated with:
  • classification determination; 
  • protection and control of classified information; 
  • cyber security;
  • ineffective self-assessment processes that failed to identify the classified information security, and cyber security noncompliances disclosed by this event.
Battelle Energy Alliance is composed of Battelle Memorial Institute and 4 other institutions including BWX Technologies. BWX (Babcock & Wilcox Company) manages the Y-12 National Security Complex for the National Nuclear Security Administration (NNSA). Y-12 just had its webservers compromised through a SQL injection attack on June 12, 2011 by the Phsy hacker crew who posted usernames and passwords to a Pastebin file. One of the names posted belongs to a VP of SCI Consulting:
(SCI Consulting is the) Prime contract to the DOE Oak Ridge Office to provide the full spectrum of IT support services to the three managing and operating contractors on the Oak Ridge Reservation including Bechtel Jacobs Company, LLC; Babcock & Wilcox Technologies Y-12, LLC; and University of Tennessee-Battelle, LLC.
UT-Battelle LLC is a partnership between the University of Tennessee and Battelle Memorial Institute that manages Oak Ridge National Lab so the possibility of compromise via an SCI Consulting executive's credentials is certainly a risk worth examining. Even if this executive's stolen credentials were not used, it serves as an example of the potential exploitation of AntiSec data released in the public domain which agencies of foreign governments or their agents may use to leverage further exploitation or craft targeted attacks.

UPDATE (07 JUL 2011): The 3rd national lab has been identified as the Thomas Jefferson National Accelerator Facility (aka Jefferson Lab).


UPDATE (20 SEP 2011): The CIO of Pacific Northwest National Laboratories describes the attack and makes 7 recommendations.

Comments