Attacks/Breaches
2/6/2013
12:52 PM
Connect Directly
RSS
E-Mail
50%
50%

6 Reasons Hackers Would Want Energy Department Data

In Department of Energy breach, what was driving attackers to steal employee data? Stuxnet revenge is one theory.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Why would hackers target the Department of Energy (DOE)?

The obvious answer is to steal nuclear secrets, since the agency's National Nuclear Security Administration (NNSA) department is in charge of managing and safeguarding the country's nuclear arsenal. According to security experts, the agency's laboratories, where the most sensitive work takes place, have long been targeted by attackers.

But the breach of the DOE headquarters network in mid-January, which was disclosed in a Friday memo to employees, appeared only to result in the theft of personally identifiable information (PII) pertaining to a few hundred of the agency's employees and contractors. Although a related investigation by the DOE and FBI remains underway, the memo noted that the findings to date indicate that "no classified data was compromised."

[ What is the government doing to crack down on cyber break-ins? Read FBI Expands Cybercrime Division. ]

Why would attackers target PII for agency employees? Here are six reasons -- some more likely than others -- why attackers might have come gunning for employee data:

1. Spies Seeking Nuclear Secrets

The story of the DOE breach was first reported by the Washington Free Beacon, which noted that the NNSA manages, secures and designs the country's nuclear arsenal. But it offered no evidence that the NSSA was targeted, and again, the DOE said its investigators found no evidence that attackers accessed any classified information.

Other news outlets trumpeted that China was a possible suspect in the attacks, which isn't news -- and hasn't been substantiated. Furthermore, if a foreign government was involved, there are many more candidates than just China. "China is the noisiest -- the government officials who are fully briefed in on the threat will tell you that several other countries' cyber attacks are equally worrisome but much more clandestine," said Alan Paller, director of research for the SANS Institute, via email.

2. Intelligence Services Out To Catalog Real Identities

If a foreign intelligence service was behind the attack, then it was likely meant to gain a foothold in the DOE's network, and then allow attackers to spread malware to other DOE systems. Alternately, the information could be used for more hands-on types of espionage. "Let's suppose the hackers were from China," said Sean Sullivan, security advisor at F-Secure Labs, via email. "In that case, they may very well be interested in the PII to facilitate real-world spying -- a lot of which still goes on. You need to know names and addresses in order to target somebody with a seductress."

3. Prepping Spear-Phishing Attacks

Or, the personnel information could be used to create more personalized spear-phishing attacks. These use emails that appear to be legitimate to trick users into opening malicious attachments, which then infect the targeted system and allow data to be stolen from the PC, as well as use the infected system as a springboard for infecting other servers and PCs.

Thanks to modern-day crimeware toolkits, attackers can repack their malware to vary its appearance, thus helping to bypass signature-based antivirus defenses. In the attack against The New York Times that came to light last week, for example, attackers launched 45 malicious files at newspaper PCs over a three-month period, and only saw one piece of malware get stopped and blocked by the Symantec antivirus software used by the Times.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/15/2013 | 3:50:44 PM
re: 6 Reasons Hackers Would Want Energy Department Data
A large part of hacking is gathering information on the potential target, and I mean every piece of information counts for something and could potentially play a part in a successful hack. The more you know about an organization the better off you are for determining potential usernames, passwords, are usually associated with personal information or organizational information, so you can see how personal information could play a huge role in this. After gaining access to systemGÇÖs it does not matter exactly what information they are seeking, they will be able to pick and choose which data they want.

Paul Sprague
InformationWeek Contributor
treehousetim
50%
50%
treehousetim,
User Rank: Apprentice
2/7/2013 | 9:15:53 PM
re: 6 Reasons Hackers Would Want Energy Department Data
Kevin Mitnick would tell you that simply having names and personal information for these people would make a penetration a million times easier. He recently tweeted, "When conducting penetration tests, our success rate is 100% if our team is allowed to use social engineering. Never failed once." https://twitter.com/kevinmitni...

A lot of recent data breaches / attacks have been downplayed since "nothing important or classified" was stolen. I think this perception is both ignorant and foolish.

Any private data that is divulged without permission or intent should be considered a possible gateway to future attacks.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio