China syndromeChina suspected in hacking attempt on Oak Ridge National Lab

Published 10 December 2007

In October about 1,100 employees at the Oak Ridge National Lab received versions of seven phishing e-mails which appeared legitimate; eleven employees opened the e-mails’ attachments, which enabled the hackers to infiltrate the Lab’s system and remove data; Last week DHS circulated memo to security experts pointing to China as the source of the October hacking at the weapon lab

A confidential DHS memorandum circulated to government and private security officials last Wednesday says that a cyber attack reported earlier last week by one of the federal government’s nuclear weapons laboratories may have originated in China. The New York Times’s John Markoff writes that security researchers said the memorandum included a list of Web and Internet addresses which were linked to locations in China. They noted, though, that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location. Officials at the lab, Oak Ridge National Laboratory in Tennessee, said the attacks did not compromise classified information, though they acknowledged that they were still working to understand the full extent of the intrusion. DHS distributed the confidential warning to computer security officials last Wednesday after what it described as a set of “sophisticated attempts” to compromise computers used by the private sector and the government.

Markoff writes that government computer security officials said the warning, which was issued by the U.S. Computer Emergency Response Team, known as US-CERT, was related to an October attack which was also disclosed last week by officials at the Oak Ridge laboratory. According to a letter to employees written by the laboratory’s director, Thom Mason, an unknown group of attackers sent targeted e-mail messages to about 1,100 employees as part of the ruse. “At this point, we have determined that the thieves made approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven ‘phishing’ e-mails, all of which at first glance appeared legitimate,” he wrote in an e-mail message sent to employees last Monday. “At present we believe that about 11 staff opened the attachments, which enabled the hackers to infiltrate the system and remove data.” In a statement posted on the laboratory’s Web site, the agency stated: “The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory.” The laboratory said the attackers were able to gain access to a database containing personal information about visitors to the laboratory going back to 1990.

The US-CERT advisory, which was not made public, stated: “The level of sophistication and the scope of these cyber security incidents indicate that they are coordinated and targeted at private sector systems.” The US-CERT memo referred to the use of e-mail messages that fool employees into clicking on documents that then permit attackers to plant programs in their computers. These programs are then able to copy and forward specific data — such as passwords