Department of Energy hack exposes major vulnerabilities

The U.S. Department of Energy (DoE) is the latest federal agency to become the victim of a cyberattack while not immediately being aware of it.

Several security experts say the intrusion was unlikely a prelude to what outgoing Secretary of Defense Leon Panetta has warned is a coming "cyber Pearl Harbor" aimed at the U.S. But, they said it is serious all the same, because it shows how vulnerable critical government departments are to espionage.

Bill Gertz, of The Washington Free Beacon, reported Monday that unnamed Energy Department officials confirmed that there had been an attack on servers at the agency's Washington headquarters about two weeks ago.

Gertz reported that the sources told him that 14 computer servers and 20 workstations were penetrated, that personally identifiable information of several hundred employees was compromised, but that no classified information was exposed.

The officials said Chinese hackers were the likely source of the attack, although that is not certain. A hacker group called Parastoo, which is Farsi for the swallow bird and a common girl's name, claimed responsibility for the attack on January 21 on Pastebin.

But government sources told the Beacon that the posting "contained information that was dated," and therefore they don't think the group was behind the attack.

The report said that the government defines such personal information as full name; national identification number such as a Social Security number; Internet Protocol addresses, vehicle and driver's license numbers; face, fingerprint or handwriting samples; credit card numbers; digital identity; date of birth; birthplace; and genetic information.

And it quoted Ed McCallum, a security consultant who previously worked for the department's Office of Safeguards and Security, saying breach is evidence of decades of poor security at the department.

"It's a continuing story of negligence," McCallum said.

Michael Murray, managing partner at MAD Security and The Hacker Academy, is not so sure. "Every security person I've ever worked with believes their organization could do more to protect its secrets," he told CSO Online. "'Negligence' is a strong term that, in many cases, turns out to mean 'business decisions that I don't agree with.'"

But James Arlen, a senior security consultant with the Leviathan Security Group, said he thinks McCallum is probably correct. "There's a certain amount of institutional hubris in large government organizations that creates a mentality that says, 'it worked well last year, why change?'"

[See also: Hacktivists have the enterprises' attention. Now what?]

"The DoE, despite a long history of facing espionage attacks, still has the common HR policy in the public service of hiring at a price point rather than a skill point," he said. "And just like buying produce at the dollar store, you get what you pay for."

Tommy Stiansen, CTO of Norse, said McCallum is correct, "given the information I can get from the Internet, I'm personally sure."

"The DoE server, their Linux box, tells me they're not security minded," he said. "The box is outdated, not hardened and there is not adequate security in front of it."

And he said the names of employees and contractors were easily available, "which can be used in numerous ways by hackers to gain more information. Nobody should have personal accounts facing the Internet," Stiansen said.

However, while the DoE is a prime target for hostile nation states, both experts doubt that this attack caused any major immediate damage, either to the agency or its employees.

If it was a traditional cyberattack, Murray said employees would be at greater risk. But from a nation-state or an activist group like Anonymous, "the impact of [personall identifiable information] exposure is minimal," he said.

Arlen said if the attackers were able to get classified information (which the DoE has reportedly denied), it could be significant. "If it is espionage, with the outcome being a more traditional physical attack with either advanced knowledge of weaknesses or advanced knowledge of weapons," then it could be serious, he said.

Regardless, the attack should prompt the DoE to get much more serious about security, the experts agree. Arlen said it comes down to "doing the basic stuff correctly."

"Have preventative controls on information assets," Arlen said. "Lock it up, disconnect it, treat information like toxic waste and sequester it with appropriate technologies. Use detection controls -- reduce complexity, simplify network design, introduce appropriate choke points, do behavioral analysis on information flows, be vigilant."

"And stop relying on technologies, techniques and training which are obviously not working," he said. "Assemble the cyber special forces -- why are the best-of-the-best infosec people not on call for issues like this?"

Dominique Karg, chief hacking officer at AlienVault, said "the solution is right in front of their noses and it's cheap as hell."

"It just requires three things," he said. "First, it requires their arrogance to go down. They need to acknowledge that the government/military is no longer best in breed at this particular type of warfare. Second, it requires increased respect for those who do know. Government jobs don't pay the six- to seven-figure salaries that security jobs at public companies in Silicon Valley pay. And even if someone said 'Screw it, I'm doing this for my country,' he'll get back to the private soon enough after being sneered at by everyone and being labeled as the 'printer fixing guy'. Finally, they need to accept outside help."

"There are people who want to help, for free. Let them," Karg said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Department of EnergyapplicationsData Protection | Malwaredepartment of energylegalCyberattacksoftwaredata protectioncybercrime

More about BillCSOLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place