Attacks/Breaches
2/6/2013
12:52 PM
Connect Directly
RSS
E-Mail
50%
50%

6 Reasons Hackers Would Want Energy Department Data

In Department of Energy breach, what was driving attackers to steal employee data? Stuxnet revenge is one theory.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Why would hackers target the Department of Energy (DOE)?

The obvious answer is to steal nuclear secrets, since the agency's National Nuclear Security Administration (NNSA) department is in charge of managing and safeguarding the country's nuclear arsenal. According to security experts, the agency's laboratories, where the most sensitive work takes place, have long been targeted by attackers.

But the breach of the DOE headquarters network in mid-January, which was disclosed in a Friday memo to employees, appeared only to result in the theft of personally identifiable information (PII) pertaining to a few hundred of the agency's employees and contractors. Although a related investigation by the DOE and FBI remains underway, the memo noted that the findings to date indicate that "no classified data was compromised."

[ What is the government doing to crack down on cyber break-ins? Read FBI Expands Cybercrime Division. ]

Why would attackers target PII for agency employees? Here are six reasons -- some more likely than others -- why attackers might have come gunning for employee data:

1. Spies Seeking Nuclear Secrets

The story of the DOE breach was first reported by the Washington Free Beacon, which noted that the NNSA manages, secures and designs the country's nuclear arsenal. But it offered no evidence that the NSSA was targeted, and again, the DOE said its investigators found no evidence that attackers accessed any classified information.

Other news outlets trumpeted that China was a possible suspect in the attacks, which isn't news -- and hasn't been substantiated. Furthermore, if a foreign government was involved, there are many more candidates than just China. "China is the noisiest -- the government officials who are fully briefed in on the threat will tell you that several other countries' cyber attacks are equally worrisome but much more clandestine," said Alan Paller, director of research for the SANS Institute, via email.

2. Intelligence Services Out To Catalog Real Identities

If a foreign intelligence service was behind the attack, then it was likely meant to gain a foothold in the DOE's network, and then allow attackers to spread malware to other DOE systems. Alternately, the information could be used for more hands-on types of espionage. "Let's suppose the hackers were from China," said Sean Sullivan, security advisor at F-Secure Labs, via email. "In that case, they may very well be interested in the PII to facilitate real-world spying -- a lot of which still goes on. You need to know names and addresses in order to target somebody with a seductress."

3. Prepping Spear-Phishing Attacks

Or, the personnel information could be used to create more personalized spear-phishing attacks. These use emails that appear to be legitimate to trick users into opening malicious attachments, which then infect the targeted system and allow data to be stolen from the PC, as well as use the infected system as a springboard for infecting other servers and PCs.

Thanks to modern-day crimeware toolkits, attackers can repack their malware to vary its appearance, thus helping to bypass signature-based antivirus defenses. In the attack against The New York Times that came to light last week, for example, attackers launched 45 malicious files at newspaper PCs over a three-month period, and only saw one piece of malware get stopped and blocked by the Symantec antivirus software used by the Times.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/15/2013 | 3:50:44 PM
re: 6 Reasons Hackers Would Want Energy Department Data
A large part of hacking is gathering information on the potential target, and I mean every piece of information counts for something and could potentially play a part in a successful hack. The more you know about an organization the better off you are for determining potential usernames, passwords, are usually associated with personal information or organizational information, so you can see how personal information could play a huge role in this. After gaining access to systemG«÷s it does not matter exactly what information they are seeking, they will be able to pick and choose which data they want.

Paul Sprague
InformationWeek Contributor
treehousetim
50%
50%
treehousetim,
User Rank: Apprentice
2/7/2013 | 9:15:53 PM
re: 6 Reasons Hackers Would Want Energy Department Data
Kevin Mitnick would tell you that simply having names and personal information for these people would make a penetration a million times easier. He recently tweeted, "When conducting penetration tests, our success rate is 100% if our team is allowed to use social engineering. Never failed once." https://twitter.com/kevinmitni...

A lot of recent data breaches / attacks have been downplayed since "nothing important or classified" was stolen. I think this perception is both ignorant and foolish.

Any private data that is divulged without permission or intent should be considered a possible gateway to future attacks.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.