Attacks/Breaches
2/6/2013
12:52 PM
50%
50%

6 Reasons Hackers Would Want Energy Department Data

In Department of Energy breach, what was driving attackers to steal employee data? Stuxnet revenge is one theory.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Why would hackers target the Department of Energy (DOE)?

The obvious answer is to steal nuclear secrets, since the agency's National Nuclear Security Administration (NNSA) department is in charge of managing and safeguarding the country's nuclear arsenal. According to security experts, the agency's laboratories, where the most sensitive work takes place, have long been targeted by attackers.

But the breach of the DOE headquarters network in mid-January, which was disclosed in a Friday memo to employees, appeared only to result in the theft of personally identifiable information (PII) pertaining to a few hundred of the agency's employees and contractors. Although a related investigation by the DOE and FBI remains underway, the memo noted that the findings to date indicate that "no classified data was compromised."

[ What is the government doing to crack down on cyber break-ins? Read FBI Expands Cybercrime Division. ]

Why would attackers target PII for agency employees? Here are six reasons -- some more likely than others -- why attackers might have come gunning for employee data:

1. Spies Seeking Nuclear Secrets

The story of the DOE breach was first reported by the Washington Free Beacon, which noted that the NNSA manages, secures and designs the country's nuclear arsenal. But it offered no evidence that the NSSA was targeted, and again, the DOE said its investigators found no evidence that attackers accessed any classified information.

Other news outlets trumpeted that China was a possible suspect in the attacks, which isn't news -- and hasn't been substantiated. Furthermore, if a foreign government was involved, there are many more candidates than just China. "China is the noisiest -- the government officials who are fully briefed in on the threat will tell you that several other countries' cyber attacks are equally worrisome but much more clandestine," said Alan Paller, director of research for the SANS Institute, via email.

2. Intelligence Services Out To Catalog Real Identities

If a foreign intelligence service was behind the attack, then it was likely meant to gain a foothold in the DOE's network, and then allow attackers to spread malware to other DOE systems. Alternately, the information could be used for more hands-on types of espionage. "Let's suppose the hackers were from China," said Sean Sullivan, security advisor at F-Secure Labs, via email. "In that case, they may very well be interested in the PII to facilitate real-world spying -- a lot of which still goes on. You need to know names and addresses in order to target somebody with a seductress."

3. Prepping Spear-Phishing Attacks

Or, the personnel information could be used to create more personalized spear-phishing attacks. These use emails that appear to be legitimate to trick users into opening malicious attachments, which then infect the targeted system and allow data to be stolen from the PC, as well as use the infected system as a springboard for infecting other servers and PCs.

Thanks to modern-day crimeware toolkits, attackers can repack their malware to vary its appearance, thus helping to bypass signature-based antivirus defenses. In the attack against The New York Times that came to light last week, for example, attackers launched 45 malicious files at newspaper PCs over a three-month period, and only saw one piece of malware get stopped and blocked by the Symantec antivirus software used by the Times.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/15/2013 | 3:50:44 PM
re: 6 Reasons Hackers Would Want Energy Department Data
A large part of hacking is gathering information on the potential target, and I mean every piece of information counts for something and could potentially play a part in a successful hack. The more you know about an organization the better off you are for determining potential usernames, passwords, are usually associated with personal information or organizational information, so you can see how personal information could play a huge role in this. After gaining access to systemG«÷s it does not matter exactly what information they are seeking, they will be able to pick and choose which data they want.

Paul Sprague
InformationWeek Contributor
treehousetim
50%
50%
treehousetim,
User Rank: Apprentice
2/7/2013 | 9:15:53 PM
re: 6 Reasons Hackers Would Want Energy Department Data
Kevin Mitnick would tell you that simply having names and personal information for these people would make a penetration a million times easier. He recently tweeted, "When conducting penetration tests, our success rate is 100% if our team is allowed to use social engineering. Never failed once." https://twitter.com/kevinmitni...

A lot of recent data breaches / attacks have been downplayed since "nothing important or classified" was stolen. I think this perception is both ignorant and foolish.

Any private data that is divulged without permission or intent should be considered a possible gateway to future attacks.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8896
Published: 2014-12-22
The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 allows remote authenticated users to modify ...

CVE-2014-8897
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

CVE-2014-8898
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.