Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:03 PM
Connect Directly

Attack On Pacific Northwest National Lab Started At Public Web Servers

Zero-day Flash payload infected visitors to lab's public-facing Web servers

The cyberattack discovered at Pacific Northwest National Laboratory (PNNL) during the Fourth of July holiday weekend used a combination of a Web server vulnerability and a payload that delivered a zero-day Adobe Flash attack, according to officials at the Department of Energy-contracted facility.

PNNL, a research and development facility operated under contract to the Department of Energy, discovered what it described as a "sophisticated" targeted attack on its systems the Friday before the holiday, compelling the organization to temporarily shut down most of its internal network services, including email, SharePoint, its wireless LAN, voicemail, and Internet access. PNNL also blocked internal traffic while investigating and mitigating the attack. The lab says no classified or sensitive information was accessed in the attack.

Now more details are emerging on just how the attackers got into the Richland, Wash.-based lab, which employs around 4,900 people and handles homeland security analysis and research, as well as smart grid and environmental development.

Jerry Johnson, chief information officer for Pacific Northwest National Laboratory, said in an interview with Dark Reading that the attackers at first infiltrated some of PNNL's public-facing Web servers that contained publicly available information. These servers are considered "low impact" by government security standards, meaning that they require only minimal security under NIST standards.

The attackers exploited an undisclosed bug in the server, and then rigged it with a malicious payload that planted an Adobe Flash zero-day exploit on victims' machines. Johnson declined to elaborate on the Flash bug and exploit, but did say that the Flash vulnerability is one that has since been patched by Adobe.

Another DOE facility, Newport News, Va.-based Thomas Jefferson National Lab, was also hit around the same time frame as PNNL, according to published reports. The attacks have been described as having the earmarks of advanced persistent threat (APT) actors, typically nation-state sponsored and focused on cyberespionage.

A spokesman for Jefferson Lab says the nature of the attack on that site remains under investigation. "We were able to detect the cyberattack early and raise our defenses. This included taking down our Internet connection and servers. We never lost email, however, and work continued at the lab during the event. Most services to the lab are now restored," the spokesman said.

In the attack at PNNL, some users in what Johnson describes as the lab's "moderate impact" network sector were infected when they visited the breached public PNNL Web server. But Johnson says the lab's analysis indicates the attackers were unable to then move laterally within the lab's network, nor did they elevate privileges to gain any further inroads.

"Staff in more sensitive portions of the network assumed that a server in a less-sensitive and, therefore, potentially less-secured portion of the network was protected at the same level," Johnson says.

Even though the attackers used such a blanketed method of drive-by Web attack, Johnson says it was obvious they were zeroing in on PNNL. They netted non-PNNL workstations in their attack as well, but that wasn't their focus. "There were some workstations compromised by other DOE contractors we had on-site, but they were never exploited. [The attackers] didn’t care about them, only about the ones inside the lab. It was very clear that they knew what they wanted," and that was to target PNNL, he says.

Meanwhile, the more serious part of the breach against PNNL came in a second-wave attack that originated from another laboratory, which has not been identified but sources say was not Jefferson Lab.

PNNL has a trusted-domain relationship with the lab, and the attackers grabbed privileged credentials there they then employed to reach the "moderate impact" side of PNNL's network, according to Johnson.

"The attackers’ command and control channels were promptly severed when this second attack was detected," Johnson says.

PNNL is targeted by attackers every day, usually simple-to-detect and defend probes on its network. A PNNL spokesman says the lab stops some 4 million probes daily. But the latest attack was "much more sophisticated," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.