The US science and technology lab Oak Ridge National Laboratory Thursday disclosed it has been compromised by what it described as a "sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country."
Other reports indicate ORNL's sister institution at Los Alamos was also hit, though it has not been confirmed that Los Alamos was hit successfully.
In a public statement, Oak Ridge National Laboratory, which has 3,800 staff and US$1.06 billion budget under management by the US Deptartment of Energy with UT-Battelle, said a hacker gained access to ORNL computers by sending staff e-mails that appeared to be official legitimate communications.
"When the employee opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information," ORNL said.
ORNL said the compromise has been traced back to October 29, 2007, and that the lab has "reason to believe that data was stolen from a database used for visitors to the Laboratory."
ORNL, which conducts highly sensitive energy research in the neutron science and high-energy physics as well as biology research, does not believe that classified information was lost. However, ORNL said anyone who visited the lab, which is based in Oak Ridge, Tenn., between the years 1990 and 2004 may have had their name and other personal information, such as Social Security numbers and birth date, stolen by the attackers.
Thom Mason, director of ORNL, on Monday sent an e-mail to staff employees that said, "Our cyber security staff has been working nights and weekends to understand the nature of this attack."
"Our review to date has shown that while every security system at ORNL was in place and in compliance, the hackers potentially succeeded in gaining access to one of the laboratory's non-classified databases that contained personal information of visitors to the laboratory between 1990 and 2004. At this point we have determined that the thieves made approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven 'phishing' e-mails, all of which at first glance appeared legitimate. One of these fake e-mails notified employees of a scientific conference
Another pretended to notify the employee of a complaint on behalf of the Federal Trade Commission, " Mason said.
Mason said it looks as though 11 staff opened the attachments, which then "enabled the hackers to infiltrate the system and remove data."
Mason said reconstructing the exact chain of events in their entirety "will likely take weeks, if not longer, to complete."
ORNL is making the effort to contact all the people whose personal information was compromised, but that a large number of out-of-date addresses is complicating this effort. He added there is no evidence to date that the stolen information has been used.
ORNL spokesman Ron Walli said the lab couldn't comment further on the nature of the attack or its possible origination due to its extreme sensitivity. "It's a serious matter and we've told not to discuss it," he said.