[ISN] China Link Suspected in Lab Hacking

From: InfoSec News (alerts@private)
Date: Sun Dec 09 2007 - 23:33:58 PST


http://www.nytimes.com/2007/12/09/us/nationalspecial3/09hack.html

By JOHN MARKOFF
The New York Times
December 9, 2007

SAN FRANCISCO, Dec. 8 — A cyber attack reported last week by one of the 
federal government’s nuclear weapons laboratories may have originated in 
China, according to a confidential memorandum distributed Wednesday to 
public and private security officials by the Department of Homeland 
Security.

Security researchers said the memorandum, which was obtained by The New 
York Times from an executive at a private company, included a list of 
Web and Internet addresses that were linked to locations in China. 
However, they noted that such links did not prove that the Chinese 
government or Chinese citizens were involved in the attacks. In the 
past, intruders have compromised computers in China and then used them 
to disguise their true location.

Officials at the lab, Oak Ridge National Laboratory in Tennessee, said 
the attacks did not compromise classified information, though they 
acknowledged that they were still working to understand the full extent 
of the intrusion.

The Department of Homeland Security distributed the confidential warning 
to computer security officials on Wednesday after what it described as a 
set of “sophisticated attempts” to compromise computers used by the 
private sector and the government.

Government computer security officials said the warning, which was 
issued by the United States Computer Emergency Response Team, known as 
US-CERT, was related to an October attack that was also disclosed last 
week by officials at the Oak Ridge laboratory.

According to a letter to employees written by the laboratory’s director, 
Thom Mason, an unknown group of attackers sent targeted e-mail messages 
to roughly 1,100 employees as part of the ruse.

“At this point, we have determined that the thieves made approximately 
1,100 attempts to steal data with a very sophisticated strategy that 
involved sending staff a total of seven ‘phishing’ e-mails, all of which 
at first glance appeared legitimate,” he wrote in an e-mail message sent 
to employees on Monday. “At present we believe that about 11 staff 
opened the attachments, which enabled the hackers to infiltrate the 
system and remove data.”

In a statement posted on the laboratory’s Web site, the agency stated: 
“The original e-mail and first potential corruption occurred on October 
29, 2007. We have reason to believe that data was stolen from a database 
used for visitors to the Laboratory.”

The laboratory said the attackers were able to gain access to a database 
containing personal information about visitors to the laboratory going 
back to 1990.

The US-CERT advisory, which was not made public, stated: “The level of 
sophistication and the scope of these cyber security incidents indicate 
that they are coordinated and targeted at private sector systems.”

The US-CERT memo referred to the use of e-mail messages that fool 
employees into clicking on documents that then permit attackers to plant 
programs in their computers. These programs are then able to copy and 
forward specific data — like passwords — to remote locations.

Despite improvements in computer security, phishing attacks are still a 
big problem. In the case of the Oak Ridge intrusion, the e-mail messages 
were made to seem authentic. One described a scientific conference and 
another referred to a Federal Trade Commission complaint.

Computer security researchers cautioned that despite the US-CERT 
description of the attacks as sophisticated, such threats are frequently 
undertaken by amateur computer hackers.

Classified federal computer networks are not supposed to be connected 
physically to the open Internet. Even so, sensitive data like employee 
e-mail databases can easily be compromised once access is gained to 
computers inside federal agencies.



__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Sun Dec 09 2007 - 23:50:44 PST