Oak Ridge National Lab shuts down Internet, email after cyberattack

DOE laboratory says it was victim of an Advanced Persistent Threat designed to steal technical data

The Oak Ridge National Laboratory, home to one of the world's most powerful supercomputers, has been forced to shut down its email systems and all Internet access for employees since late last Friday, following a sophisticated cyberattack.

The restrictions on Internet access will remain in place until those investigating the attack know that for sure that it has been completely contained, said Barbara Penland, ORNL's director of communications.

The lab is expected to restore external email service sometime on Wednesday, however no attachments will be allowed for the time being.

Penland said several other national laboratories and government organizations were targeted in the same attacks, which appear to have been launched earlier this month.

The measures at Oak Ridge were implemented late on Friday night after initial investigations showed that those behind the attacks were attempting to steal technical data from lab's systems and send it to an external system, Penland said.

So far, though, it appears that no significant amount of data has been stolen. Penland said investigators believe that whoever was behind the attacks managed to steal less than 1GB of data.

Penland said that ther e is nothing to show yet where the attacks originated from or who might have been behind it.

The attacks were launched through phishing emails that were sent to some 573 lab employees. The emails were disguised to appear like it came from the lab's HR department and purported to inform employees of some benefits related changes.

The emails contained a link that employees were asked to click on for further information.

Some employees appear to have clicked on the link resulting in an information-stealing malware program being downloaded on their systems.

Penland did not offer any more details on the malware itself. But a story in Knoxnews.com quoted ORNL director Thom Mason as saying the malware program exploited a zero-day vulnerability in Internet Explorer.

The story quoted Mason as describing the attack as a sophisticated Advanced Persistent Threat (APT), designed to gain a foothold on the lab's networks and then to quietly looking for and steal specific types of information.

"If you look at this APT, it is much more sophisticated than what was being used a few years ago," Mason told Konxnews.com. "Certainly what we've seen is very consistent with the RSA attack," he said referring to an attack on RSA a few weeks ago that resulted in data relating to the company's SecurID two-factor authentication technology being stolen.

Almost all of the lab's 200 IT staff are currently engaged in either investigating the attacks or ensuring that other systems remain available, Penland said. Staff from other national laboratories, are also helping in the investigations, she said. At the moment, the attacks are the subject of an IT investigation only and not a criminal one.

Penland said that the attacks appear to have been directed at ORNL's business systems. The lab's supercomputers, including the world's most powerful system, the 1.75-petaflop Jaguar, have been unaffected by the attacks and continue to operate normally.

As of this afternoon, the attacks appear to have been contained, she added. "Keeping the Internet down is a precaution to make sure that nothing gets out as we investigate further," she said.

The email and Internet shutdown has forced employees to rely on fax machines and phone calls to communicate with the outside world since last Friday, she said.

APTs of the sort described by Mason are highly targeted, low intensity attacks designed to conduct espionage and to steal information from high-value targets. The attacks, many of which are believed to originate in China, were initially targeted at U.S. Air Force and government networks.

Over the last 18 months or so, a growing number of private companies have reported being victims of APTs as well. The most notable was Google, which last year accused China of launch APT attacks against it to steal its IP.

More recently, security vendor RSA claimed that it was the victim of an APT attack after intruders broke into its networks and stole data on its SecurID two-factor authentication technology.

Oak Ridge National Laboratory's status as a Department of Energy funded lab, and the work it is doing especially in the area of supercomputers, makes it a prime target for an APT attack, if that indeed is what happened at the lab, said Rich Mogull, an analyst with Securosis.

The breach described by ORNL certainly appears to fit into the classic mold of an APT attack in which attackers first try to compromise systems using highly targeted phishing mails and then drop zero-day malware to snoop on and steal data, Mogull said

But until more details are released it is hard to know for sure, other analysts said.

"The term 'Advanced Persistent Threat' is definitely being overhyped and used as an excuse way too often, as in 'Well, it wasn't really our fault it was an Advanced Persistent Threat'," said John Pescatore an analyst at Gartner. "Advanced simply means it got past your defenses and persistent means it took you too long to detect it once it got in."

Pete Lindstrom, an analyst with Spire Security, said the tern APT is often used these days as a face saving measure. "The definition of APT is so sufficiently muddled that anyone can claim APT and be right in some sense and wrong in another," he said. "The proof is in the defenses that could have prevented it -- if they are fundamental security measures then the notion of APT has no meaning."

This is the second time that Oak Ridge has fallen victim to a phishing attack. In 2007, hackers gained access to a non-classified database after infecting internal systems via phishing emails.

That compromise resulted in the personal data, including Social Security numbers visitors to the laboratory, being compromised.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags data securityCybercrime and HackingOak Ridge National Laboratory

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Jaikumar Vijayan

Jaikumar Vijayan

Computerworld (US)
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Shining a light on creativity

MSI has long pushed the boundaries of invention with its ever-evolving range of laptops but it has now pulled off a world first with the new MSI Creative 17.

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?