Wednesday, April 20, 2011

Oak Ridge National Laboratory Falls for a Spear-Phishing Campaign

An interesting post today on Wired - Top Federal Lab Hacked in Spear-Phishing Attack - details the most recent successful attack against Oak Ridge National Labs.

A couple of the most interesting quotes from the story are:
“The attacker used an Internet Explorer zero-day vulnerability that Microsoft patched on April 12 to breach the lab’s network. The vulnerability, described as a critical remote-code execution vulnerability, allows an attacker to install malware on a user’s machine if he or she visits a malicious web site.”
“The lab began to block the malicious emails soon after they began coming in, but it was already too late. On April 11, administrators discovered a server had been breached when data began leaving the network. Workers cleaned up the infected system, but early Friday evening “a number of other servers suddenly [went] active with the malware,” Zacharia said. The malware had apparently laid dormant for a week before it awoke on those systems. That’s when the lab blocked internet access.”
That's an interesting tactic, and one I haven't seen for a long time. Back in the 2003-2004 era I observed a similar kind of trigger approach being used for targeted attacks against the petrochemical industry (largely associated with organized crime teams that traced back to the Balkans).