Zero-day Flash payload infected visitors to lab's public-facing Web servers

The cyberattack discovered at Pacific Northwest National Laboratory (PNNL) during the Fourth of July holiday weekend used a combination of a Web server vulnerability and a payload that delivered a zero-day Adobe Flash attack, according to officials at the Department of Energy-contracted facility.

PNNL, a research and development facility operated under contract to the Department of Energy, discovered what it described as a "sophisticated" targeted attack on its systems the Friday before the holiday, compelling the organization to temporarily shut down most of its internal network services, including email, SharePoint, its wireless LAN, voicemail, and Internet access. PNNL also blocked internal traffic while investigating and mitigating the attack. The lab says no classified or sensitive information was accessed in the attack.

Now more details are emerging on just how the attackers got into the Richland, Wash.-based lab, which employs around 4,900 people and handles homeland security analysis and research, as well as smart grid and environmental development.

Jerry Johnson, chief information officer for Pacific Northwest National Laboratory, said in an interview with Dark Reading that the attackers at first infiltrated some of PNNL's public-facing Web servers that contained publicly available information. These servers are considered "low impact" by government security standards, meaning that they require only minimal security under NIST standards.

The attackers exploited an undisclosed bug in the server, and then rigged it with a malicious payload that planted an Adobe Flash zero-day exploit on victims' machines. Johnson declined to elaborate on the Flash bug and exploit, but did say that the Flash vulnerability is one that has since been patched by Adobe.

Another DOE facility, Newport News, Va.-based Thomas Jefferson National Lab, was also hit around the same time frame as PNNL, according to published reports. The attacks have been described as having the earmarks of advanced persistent threat (APT) actors, typically nation-state sponsored and focused on cyberespionage.

A spokesman for Jefferson Lab says the nature of the attack on that site remains under investigation. "We were able to detect the cyberattack early and raise our defenses. This included taking down our Internet connection and servers. We never lost email, however, and work continued at the lab during the event. Most services to the lab are now restored," the spokesman said.

In the attack at PNNL, some users in what Johnson describes as the lab's "moderate impact" network sector were infected when they visited the breached public PNNL Web server. But Johnson says the lab's analysis indicates the attackers were unable to then move laterally within the lab's network, nor did they elevate privileges to gain any further inroads.

"Staff in more sensitive portions of the network assumed that a server in a less-sensitive and, therefore, potentially less-secured portion of the network was protected at the same level," Johnson says.

Even though the attackers used such a blanketed method of drive-by Web attack, Johnson says it was obvious they were zeroing in on PNNL. They netted non-PNNL workstations in their attack as well, but that wasn't their focus. "There were some workstations compromised by other DOE contractors we had on-site, but they were never exploited. [The attackers] didn’t care about them, only about the ones inside the lab. It was very clear that they knew what they wanted," and that was to target PNNL, he says.

Meanwhile, the more serious part of the breach against PNNL came in a second-wave attack that originated from another laboratory, which has not been identified but sources say was not Jefferson Lab.

PNNL has a trusted-domain relationship with the lab, and the attackers grabbed privileged credentials there they then employed to reach the "moderate impact" side of PNNL's network, according to Johnson.

"The attackers’ command and control channels were promptly severed when this second attack was detected," Johnson says.

PNNL is targeted by attackers every day, usually simple-to-detect and defend probes on its network. A PNNL spokesman says the lab stops some 4 million probes daily. But the latest attack was "much more sophisticated," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights