U.S. Energy Lab Hit by Phishing Attack

According to an Oak Ridge National Laboratory spokeswoman, a "very sophisticated" piece of malware apparently designed to steal technical information from the Energy Department lab's network caused laboratory officials to shut down its e-mail and Internet access last week.

E-mail service was re-established on the evening of April 19, but Internet access remains down, although the lab's public facing website at remains in operation.

"This particular malware is set up to collect technical information and send it out of the lab," said Barbara Penland, the lab's deputy director of communications. "That's the reason we took the aggressive action of cutting off external access. We have been operating normally internally."

Penland said the lab hopes to have Internet access restored by the end of the week. In the meantime, the malware is being isolated and removed. The source of the malicious code and the would-be recipient of stolen data remain unknown. "That's one of the things we are investigating," she said.

Oak Ridge is managed for the Energy Department by the University of Tennessee and Battelle LLC, and conducts basic and applied research in clean energy and other areas. It also is home to Jaguar, a recently upgraded Cray XT5-based supercomputer rated one of the fastest in the world.

Penland said the lab was the target of a phishing attack that began April 7.

"We received over 500 phishing e-mails that were specifically targeted to the lab and appeared to be from the benefits department," she said. The e-mail messages contained a "more information" link, which several people clicked. "One computer was set up in a way that gave access to our network."

The attack began one day after the Homeland Security Department's US-CERT issued an advisory warning against targeted phishing attacks, and Penland confirmed that a number of other Energy Department labs and agencies had been targeted by similar attacks.

Harry Sverdlove, CTO of security company Bit9, said the Oak Ridge attack is similar to others being seen by his company against government and private-sector targets.

"This is no doubt a large and coordinated effort," he said. "It's part of a pattern we are seeing more and more. It is the most common form of attack" for targeted threats. "Why bother going around defenses when you can walk in the front door?"

Little is known so far about the malware that infected the network.

"They are calling it an advanced persistent threat, which is the nom de jure for any attack that is not stopped by traditional defenses," Sverdlove said.

About the Author

William Jackson is the senior writer for Government Computer News (


  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.