Department of Energy Networks Under Siege

Thursday, July 07, 2011

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

DOE Networks Under Siege - Labs Report Sophisticated Breaches

As Sherlock Holmes would have said - "The game is afoot!"

Let me ask you one fundamentally disturbing question... What if ESnet was to get compromised?

What is ESnet you ask? It's the network that inter-connects the major US Department of Energy laboratories, across the US and likely across the globe to other institutions of scientific research. 

The Energy Sciences Network provides high-speed, high-resiliency links to the Oak Ridge National Laboratory, the Pacific Northwest National Laboratory, the DOE's Y12 National Security Complex, and FermiLab to name the obvious ones.

What if this network was to be compromised?  What treasure trove of information could be discovered then slowly (or quickly) exfiltrated by the attackers?  You don't have to do too much digging to start putting pieces together. 

The various labs getting hacked got my attention, so piecing some news stories together over the past month, through the help of a colleague, we've managed to put together one heck of a story... all ending in the big question: "What if ESnet is compromised?"

Here's how the dots in our story so far connect, in a nice mind-map

DOE Under Siege.jpg

So... Oak Ridge National Lab gets nailed. DOE's Y12 National Security Complex gets nailed. PNNL gets nailed. None of these breaches say much more than an attempt to compromise into the network was made, some data was breached/exfiltrated...

All of them have some degree of exfiltrated data (only Y12 admits to stolen credentials) and all of their spokespeople swear they're not the target themselves. The attribution of attack is all over the map, from LulzSec, to Anonymous to the Chinese government... without any real proof for any of it.

Then there's this business of Battelle, a company who manages these facilities and is also (if sources are to be trusted) currently under heavy attack from the 'net. So doing a little digging, and some reading, it's not too far of a stretch to think that the attackers, whom ever they are, are likely after something with in the DOE network - something probably classified

How do you get into a network like that? Elementary my dear Watson... you spear-phish your way in with some custom malware burning an IE 0-day. Oak Ridge admits 10% of their 570 targeted users clicked the link to install the malware - that's 57 users for those of you doing your own math. That's a significant amount of information that would have then been exfiltrated... and was.

It's quite plausible to me that the attackers were after credentials, and network access.  They didn't appear to get away with large quantities of information (at least not on the first pass), and from the statement of 'a few megabytes' we can reasonably deduce that the attackers could have been harvesting credentials from the machines that were compromised. 

Add that to the SQL Injected credentials stolen and we have a party ... or trouble on ESnet, if you ask me.  But what do I know...

OK, conspiracy theory aside - what does this mean?  I think it's clear that ESnet needs a serious amount of threat intelligence on that network. Connecting the various labs and factoring in the Battelle corporate network, analyzing ESnet network activity and making sense of the terabytes of raw data undoubtedly being collected right now by all the blinky boxes labeled "security" would paint a more complete picture. 

The case for a more complete threat intelligence setup is compelling ...if not painfully obvious.  When the network is this complex, the assets this critical - how else do you have any faith in your security? 

Just as a point of clarification - I'm not saying that Battelle or the ESnet folks don't have a good handle on what's going on in their network - but clearly once you start drawing lines and connecting dots the picture gets very interesting (and a big "more information needed" point is to be made).

I wonder how much of what's really going on we'll ever know... maybe no more than our research and theory here... but I think there are some very serious questions those folks need to be asking themselves:

  • Where are the threats right now?
  • Can we trust who's already on that network?
  • Can we stop a multi-phase, multi-point, stepping-stone type of attack?

This isn't a joke, or something to be taken lightly. This is the US Department of Energy.  These are the people who have invested billions of our dollars into research for tomorrow's energy, including nuclear capability and alternative energies... what if that information got out? What would that cost us?

So I'll just close by asking once again... is ESnet compromised?  Is anyone prepared to answer that question?

Happy Birthday America ...how well do you sleep tonight?

Research Contributed by Gillis Jones.  Find him at @Gillis57 on Twitter.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
17898
Network->General
Information Security
Attacks hackers DOE Oak Ridge National Laboratory Y-12 Nuclear Weapons Plant Battelle Corp Pacific Northwest National Laboratory ESnet
Post Rating I Like this!
71f15763f61bde77f05b52c95df7ebb9
Secure ByForce Interesting article and nice work. I don't think most people have any idea what these labs actually do or the kind people that work there. If this network was breached and they don't have sufficient internal controls on data in place this could be catastrophic.
1310083027
0a8cae998f9c51e3b3c0ccbaddf521aa
Rafal Los Hi- thanks for the comment ...it's been an interesting couple of weeks since I posted this on my blog initially. Unfortunately, I can't even talk about it anymore :(
1312909406
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.