Russian Federation Sets New Science Priorities As 5 US Labs Are Breached

image of accelerator at Large Hadron Collidor

2011 may be the worst year on record for cybersecurity breaches at U.S. national labs and related facilities: 5 breaches in 6 months:
April 11:
- Oak Ridge National Laboratory (managed by Battelle)
- Method of attack - spear phishing w/ 0day payload
June 11:
- Y-12 National Security Complex (managed by BWX, a member of the Battelle Energy Alliance)
- Method of attack: SQL injection
July 1:
- Battelle Memorial Institute
- Pacific Northwest National Laboratory (managed by Battelle)
- Thomas Jefferson National Accelerator Facility (managed by CSC via Jefferson Science Associates)
- Method of attack: un-specified but spokespersons referred to it as "sophisticated" and all three labs stopped email and internet services for several days.


In the meantime, today President Medvedev signed into law a decree establishing the priority areas and critical technologies of the Russian Federation:

Priority Areas:

1. Security and counter-terrorism
2. Nanotechnology
3. Information and Telecommunication Systems
4. Life Sciences
5. Advanced Weapons
6. Biotechnology
7. Transportation and Space Systems
8. Clean energy technology including nuclear power

List of Critical Technologies:

1. Basic and critical military and industrial technology for the development of advanced weapons, military and special equipment
2. Basic technologies of power electronics
3. Biocatalytic, biosynthetic and biosensor technology
4. Biomedical and veterinary technology
5. Genomic, proteomic and post-genome technologies
6. Cell technologies
7. Computer modeling of nanomaterials, nanodevices and nanotechnology
8. Nano-, bio-, information and cognitive technologies
9. Technology of nuclear energy, nuclear fuel cycle, safety of radioactive waste and spent nuclear fuel
10. Technology Bioengineering
11. Diagnostic technologies of nanomaterials and nanodevices
12. Access technology to broadband multimedia services
13. Information technology, control and navigation systems
14. Technology nanodevices and microsystems engineering
15. Technology of new and renewable sources of energy, including hydrogen energy
16. Technology acquisition and processing of structural nanomaterials
17. Technology acquisition and processing of functional nanomaterials
18. Technology and software and distributed high performance computing systems
19. Technologies for monitoring and forecasting of the environment, prevent and eliminate pollution
20. Search technology, exploration and development, mining
21. Technology in disaster situations - natural and manmade
22. Technologies to reduce losses caused by social diseases
23. Technology creating high-speed vehicles and intelligent control systems with new modes of transport
24. Technology of creation of space-rocket and transport equipment of new generation
25. Imaging technology electronic components and energy-efficient lighting devices
26. Technologies create energy efficient transportation, distribution and use of energy
27. Energy efficiency of production and conversion of energy to fossil fuels

The draft decree was sent out for approval to the State bodies on 20 May, 2011. It was signed into law on 07 July 2011. The above language is a machine translation from Russian to English.

My objective for this post is not to accuse the Russian government of being responsible for one or more of the breaches at the 5 national labs listed above, however when attribution is considered, the RF must be included in the group of state suspects. They provide extensive training to their security services in Information Security TTPs. They have a long history of conducting industrial espionage. And they have a critical need for some of the research that's being conducted at the targeted labs. That's not enough to "convict" anyone, but its certainly enough to make the Russian Federation and its Eastern European hacker crews "persons of interest".

Related Posts:
Three U.S. National Labs Attacked On July 1
The 2011 Russian Federation Information Security Reference

Add to Cart View detail

Three U.S. National Labs Attacked on July 1: Same Mode As RSA

On July 1, 2011, Battelle Memorial Institute suffered a "sophisticated" attack against its network which also impacted Pacific Northwest National Lab and one other lab which wasn't named. Both PNNL and Battelle shut down their email servers and their Internet access as a precaution. As of 0200 03JUL2011, Battelle's website was still down (battelle.org) while PNNL.gov was functioning normally.

Oak Ridge National Lab suffered a similar attack on April 11 which involved a spear phishing email with an human resources related theme that exploited a 0-day in the IE browser. Battelle manages several Department of Energy labs including:

• Brookhaven National Laboratory
• Idaho National Laboratory 
• National Renewable Energy Laboratory
• Oak Ridge National Laboratory
• Pacific Northwest National Laboratory
• Lawrence Livermore National Laboratory

EMC's RSA SecurID division was compromised in a similar way in early March, 2011 via a spear phishing attack with a HR-related theme. In RSA's case it exploited an Adobe Flash 0-day. While Battelle and its managed national labs are all RSA SecurID customers, there is no publicly available information on the ORNL, PNNL, or Battelle attacks which suggests that the SecurID breach played a role at this time.

UPDATE (0300Z 3 JUL 2011):
Since my initial post I've discovered that on Feb 25, 2011 the Dept of Energy issued a "Preliminary notice of violation" to a division of Battelle - Battelle Energy Alliance - which involved three Severity Level I violations, and one Severity Level II violation associated with:

• classification determination; 
• protection and control of classified information; 
• cyber security;
• ineffective self-assessment processes that failed to identify the classified information security, and cyber security noncompliances disclosed by this event.

Battelle Energy Alliance is composed of Battelle Memorial Institute and 4 other institutions including BWX Technologies. BWX (Babcock & Wilcox Company) manages the Y-12 National Security Complex for the National Nuclear Security Administration (NNSA). Y-12 just had its webservers compromised through a SQL injection attack on June 12, 2011 by the Phsy hacker crew who posted usernames and passwords to a Pastebin file. One of the names posted belongs to a VP of SCI Consulting:

(SCI Consulting is the) Prime contract to the DOE Oak Ridge Office to provide the full spectrum of IT support services to the three managing and operating contractors on the Oak Ridge Reservation including Bechtel Jacobs Company, LLC; Babcock & Wilcox Technologies Y-12, LLC; and University of Tennessee-Battelle, LLC.

UT-Battelle LLC is a partnership between the University of Tennessee and Battelle Memorial Institute that manages Oak Ridge National Lab so the possibility of compromise via an SCI Consulting executive's credentials is certainly a risk worth examining. Even if this executive's stolen credentials were not used, it serves as an example of the potential exploitation of AntiSec data released in the public domain which agencies of foreign governments or their agents may use to leverage further exploitation or craft targeted attacks.

UPDATE (07 JUL 2011): The 3rd national lab has been identified as the Thomas Jefferson National Accelerator Facility (aka Jefferson Lab).

www.silobreaker.com

UPDATE (20 SEP 2011): The CIO of Pacific Northwest National Laboratories describes the attack and makes 7 recommendations.

Add to Cart View detail