Attacks/Breaches
2/6/2013
12:52 PM
Connect Directly
RSS
E-Mail
50%
50%

6 Reasons Hackers Would Want Energy Department Data

In Department of Energy breach, what was driving attackers to steal employee data? Stuxnet revenge is one theory.

4. Hacktivists Promoting A Cause

The Washington Free Beacon story quoted an unnamed "computer forensic specialist," who said that the DOE breach might have been the work of Anonymous. As evidence, the expert pointed to a Jan. 21, 2013, Pastebin post, since deleted, from a relatively new hacking group called Parastoo, which has been demanding that the International Atomic Energy Agency "start an investigation into activities at Israel's secret nuclear facilities."

To draw attention to that request, Parastoo's Pastebin post (later uploaded again) -- which signs off with the Anonymous manifesto -- included what it claimed was "information about one of the USA Department of Energy (DOE) critical servers we have access to." The timing of the upload would seem to correspond with the DOE's recent breach. But the information contained in the post appears to date from 2010, meaning it was likely assembled from previously published information.

Regardless, the recent DOE breach still could have been the work of hacktivists. "Let's suppose the hackers were part of Anonymous," said Sullivan. "In that case, I'd say they were just scanning all .gov sites for weakness, and PII at the DOE is what they found. And that works for Anonymous, as doxing [releasing information on] government employees is what it enjoys doing."

5. Financial Crime Syndicates Seeking Identity Information

Also on the opportunism front, cybercrime gangs -- or black-market resellers -- seeking information that could be used for financial gain might have hacked into the DOE systems, seeking employees' names as well as social security numbers and banking details. That said, trying to nab financial data from a U.S. government agency system seems like a relatively high-risk activity, given that there's arguably much lower-hanging fruit to be had -- and less risk of the FBI pursuing you -- by hacking into systems at private businesses.

Furthermore, Washington Free Press reported that in the DOE breach, "a total of 14 computer servers and 20 workstations at the headquarters were penetrated during the attack," although that information couldn't be verified. Regardless, according to the DOE, the breach apparently resulted in relatively small takings, involving personal information pertaining to just a few hundred employees and contractors. As far as financially motivated cybercrimes -- or hacktivist-organized doxing campaigns -- go, that's a very small haul.

6. Revenge For Stuxnet

There might be a Stuxnet angle to the attacks -- someone could be seeking information about specific department personnel. "From my very dark place, let's suppose the hackers were from Iran. If you Google for 'department of energy tennessee stuxnet,' the top result will be David E. Sanger's NYT piece on Stuxnet," said Sullivan. Notably, Sanger's story quoted unnamed government officials, who said that the U.S. government commissioned Stuxnet as part of a cyber-weapons program.

What's the Tennessee connection? "It's where the DOE had a replica of the equipment used by Natanz. Stuxnet interfered with Natanz. There have also been several assassinations of Iranian nuclear scientists," said Sullivan. "So ... perhaps Iran would like to return the favor?"

Security isn't necessarily the first thing people think of when they consider enterprise directories. But directories can be used in a number of ways to tighten and extend your organization's security. A Guide To Security And Enterprise Directories report, we examine enterprise directories—through the lens of Microsoft Active Directory -- and their potential as a solution for a wide array of security initiatives. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/15/2013 | 3:50:44 PM
re: 6 Reasons Hackers Would Want Energy Department Data
A large part of hacking is gathering information on the potential target, and I mean every piece of information counts for something and could potentially play a part in a successful hack. The more you know about an organization the better off you are for determining potential usernames, passwords, are usually associated with personal information or organizational information, so you can see how personal information could play a huge role in this. After gaining access to systemGÇÖs it does not matter exactly what information they are seeking, they will be able to pick and choose which data they want.

Paul Sprague
InformationWeek Contributor
treehousetim
50%
50%
treehousetim,
User Rank: Apprentice
2/7/2013 | 9:15:53 PM
re: 6 Reasons Hackers Would Want Energy Department Data
Kevin Mitnick would tell you that simply having names and personal information for these people would make a penetration a million times easier. He recently tweeted, "When conducting penetration tests, our success rate is 100% if our team is allowed to use social engineering. Never failed once." https://twitter.com/kevinmitni...

A lot of recent data breaches / attacks have been downplayed since "nothing important or classified" was stolen. I think this perception is both ignorant and foolish.

Any private data that is divulged without permission or intent should be considered a possible gateway to future attacks.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.