Thursday, July 21, 2011

APT: Attack On Pacific Northwest National Lab Started At Public Web Servers

Via Dark Reading (July 20, 2011) -

The cyberattack discovered at Pacific Northwest National Laboratory (PNNL) during the Fourth of July holiday weekend used a combination of a Web server vulnerability and a payload that delivered a zero-day Adobe Flash attack, according to officials at the Department of Energy-contracted facility.

PNNL, a research and development facility operated under contract to the Department of Energy, discovered what it described as a "sophisticated" targeted attack on its systems the Friday before the holiday, compelling the organization to temporarily shut down most of its internal network services, including email, SharePoint, its wireless LAN, voicemail, and Internet access. PNNL also blocked internal traffic while investigating and mitigating the attack. The lab says no classified or sensitive information was accessed in the attack.

Now more details are emerging on just how the attackers got into the Richland, Wash.-based lab, which employs around 4,900 people and handles homeland security analysis and research, as well as smart grid and environmental development.

Jerry Johnson, chief information officer for Pacific Northwest National Laboratory, said in an interview with Dark Reading that the attackers at first infiltrated some of PNNL's public-facing Web servers that contained publicly available information. These servers are considered "low impact" by government security standards, meaning that they require only minimal security under NIST standards.

The attackers exploited an undisclosed bug in the server, and then rigged it with a malicious payload that planted an Adobe Flash zero-day exploit on victims' machines. Johnson declined to elaborate on the Flash bug and exploit.

Another DOE facility, Newport News, Va.-based Thomas Jefferson National Lab, was also hit around the same time frame as PNNL, according to published reports. The attacks have been described as having the earmarks of advanced persistent threat (APT) actors, typically nation-state sponsored and focused on cyberespionage.


Even though the attackers used such a blanketed method of drive-by Web attack, Johnson says it was obvious they were zeroing in on PNNL. They netted non-PNNL workstations in their attack as well, but that wasn't their focus. "There were some workstations compromised by other DOE contractors we had on-site, but they were never exploited. [The attackers] didn’t care about them, only about the ones inside the lab. It was very clear that they knew what they wanted," and that was to target PNNL, he says.

Meanwhile, the more serious part of the breach against PNNL came in a second-wave attack that originated from another laboratory, which has not been identified but sources say was not Jefferson Lab.


Like targeted spear-phishing, this technique appears to be increasingly used by APT actors: attack a company's public website(s), plan malicious exploits on the public sites (mostly 0-days), and wait for employees to visit the site (likely), thus infecting internal / trusted PCs by exploiting public websites.

This exact technique has been outlined in various attacks against human rights organizations since 2009 as well, which are also common targets for specific APT actors.

No comments:

Post a Comment