U.S. Lab Falls Victim to Phishing Attack
Thieves stole 14 years of visitors' personal data in a sophisticated targeted attack.
One of the most common forms of malware infestation is people clicking on links in e-mails from unknown sources. Now it appears that not even a major U.S. research lab is immune.
The Oak Ridge National Laboratory Friday disclosed it has been wrestling with a "sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country."
The attacks have been ongoing since late October, it said.
When employees either opened an attachment or clicked on an embedded link in the e-mail, they installed a Trojan that surreptitiously copied and retrieved information.
The lab said the attack began Oct. 29, and that it believes data was stolen from a database used for visitors to the facility. As a result, personal information belonging to personnel visiting from 1990 to 2004 may have been stolen, including the names, social security numbers and birthdates.
No classified information appears to have been lost, the lab said.
Last week, Lab Director Thom Mason disclosed in an e-mail to staff that after weeks of research, he believed that thieves made "approximately 1,100 attempts" to steal data. According to the letter, he said they used a sophisticated strategy that involved sending staff seven targeted phishing e-mails, all of which at initially appeared legitimate.
One of the fake e-mails notified employees of a scientific conference, while another pretended to alert the employee to a complaint on behalf of the Federal Trade Commission. In both cases, the employee was instructed to open an attachment for further information.
The lab also warned anyone who visited between 1990 and 2004 to check their personal information with major credit check agencies Experian, Equifax and TransUnion.
An Oak Ridge National Laboratory spokesman declined to comment further on the issue.