Attack On Pacific Northwest National Lab Started At Public Web Servers

Zero-day Flash payload infected visitors to labs public-facing Web servers

The cyberattack discovered at Pacific Northwest National Laboratory (PNNL) during the Fourth of July holiday weekend used a combination of a Web server vulnerability and a payload that delivered a zero-day Adobe Flash attack, according to officials at the Department of Energy-contracted facility.
PNNL, a research and development facility operated under contract to the Department of Energy,
discovered what it described as a sophisticated targeted attack
on its systems the Friday before the holiday, compelling the organization to temporarily shut down most of its internal network services, including email, SharePoint, its wireless LAN, voicemail, and Internet access. PNNL also blocked internal traffic while investigating and mitigating the attack. The lab says no classified or sensitive information was accessed in the attack.
Now more details are emerging on just how the attackers got into the Richland, Wash.-based lab, which employs around 4,900 people and handles homeland security analysis and research, as well as smart grid and environmental development.
Jerry Johnson, chief information officer for Pacific Northwest National Laboratory, said in an interview with
Dark Reading
that the attackers at first infiltrated some of PNNLs public-facing Web servers that contained publicly available information. These servers are considered low impact by government security standards, meaning that they require only minimal security under NIST standards.
The attackers exploited an undisclosed bug in the server, and then rigged it with a malicious payload that planted an Adobe Flash zero-day exploit on victims machines. Johnson declined to elaborate on the Flash bug and exploit, but did say that the Flash vulnerability is one that has since been patched by Adobe.
Another DOE facility, Newport News, Va.-based Thomas Jefferson National Lab, was also hit around the same time frame as PNNL, according to published reports. The attacks have been described as having the earmarks of advanced persistent threat (APT) actors, typically nation-state sponsored and focused on cyberespionage.
A spokesman for Jefferson Lab says the nature of the attack on that site remains under investigation. We were able to detect the cyberattack early and raise our defenses. This included taking down our Internet connection and servers. We never lost email, however, and work continued at the lab during the event. Most services to the lab are now restored, the spokesman said.
In the attack at PNNL, some users in what Johnson describes as the labs moderate impact network sector were infected when they visited the breached public PNNL Web server. But Johnson says the labs analysis indicates the attackers were unable to then move laterally within the labs network, nor did they elevate privileges to gain any further inroads.
Staff in more sensitive portions of the network assumed that a server in a less-sensitive and, therefore, potentially less-secured portion of the network was protected at the same level, Johnson says.
Even though the attackers used such a blanketed method of drive-by Web attack, Johnson says it was obvious they were zeroing in on PNNL. They netted non-PNNL workstations in their attack as well, but that wasnt their focus. There were some workstations compromised by other DOE contractors we had on-site, but they were never exploited. [The attackers] didn’t care about them, only about the ones inside the lab. It was very clear that they knew what they wanted, and that was to target PNNL, he says.
Meanwhile, the more serious part of the breach against PNNL came in a second-wave attack that originated from another laboratory, which has not been identified but sources say was not Jefferson Lab.
PNNL has a trusted-domain relationship with the lab, and the attackers grabbed privileged credentials there they then employed to reach the moderate impact side of PNNLs network, according to Johnson.
The attackers’ command and control channels were promptly severed when this second attack was detected, Johnson says.
PNNL is targeted by attackers every day, usually simple-to-detect and defend probes on its network. A PNNL spokesman says the lab stops some 4 million probes daily. But the latest attack was much more sophisticated, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attack On Pacific Northwest National Lab Started At Public Web Servers