The Oak Ridge National Laboratory was forced to disconnect internet access for workers on Friday after the federal facility was hacked, and administrators discovered data being siphoned from a server.

Only a "few megabytes" of data were stolen before the lab discovered the breach and cut internet access to prevent further exfiltration from the sensitive government facility, according to Thomas Zacharia, deputy director of the lab.

The lab, which is located in Tennessee and conducts classified and unclassified energy and national security work for the federal government, is funded by the U.S. Department of Energy and is managed by UT-Batelle, a private company formed by the University of Tennessee and Batelle Memorial Institute. The lab's science and technology research includes work on nuclear nonproliferation and isotope production. The lab, ironically, also does cybersecurity research focusing on, among other things, researching malware and vulnerabilities in software and hardware as well as phishing attacks.

"One of our core competencies at the lab is cybersecurity research," Zacharia said.

Zacharia called the attack against the lab "sophisticated" and compared it to so-called "advanced persistent threat" attacks that hit security firm RSA last month and Google last year.

The attacker used an Internet Explorer zero-day vulnerability that Microsoft patched on April 12 to breach the lab's network. The vulnerability, described as a critical remote-code execution vulnerability, allows an attacker to install malware on a user's machine if he or she visits a malicious web site.

According to Zacharia, the intrusion came in the form of a spear-phishing email sent to lab employees on April 7. The e-mail, purportedly sent from the human resources department, discussed employee benefits and included a link to a malicious web page, where malware exploited the IE vulnerability to download additional code to users' machines.

The attackers cast their net wide in the company, but hooked only two computers in the phishing scheme, Zacharia said. About 530 employees received the e-mail – out of about 5,000 workers – but only 57 people clicked on the malicious link in the correspondence. Out of this, only two machines got infected with the malware.

The lab began to block the malicious emails soon after they began coming in, but it was already too late. On April 11, administrators discovered a server had been breached when data began leaving the network. Workers cleaned up the infected system, but early Friday evening "a number of other servers suddenly [went] active with the malware," Zacharia said. The malware had apparently laid dormant for a week before it awoke on those systems. That's when the lab blocked internet access.

Zacharia said the malware "masked itself" on systems and was designed to erase itself if it tried to compromise a system and was unsuccessful.

"We are still trying to fully characterize the malware so we can completely eradicate it," he said.

He was unable to say what the attackers stole or where the pilfered data went. The exfiltrated data was encrypted, and its destination is still being investigated. He said, however, that investigators from "sister labs" and other government agencies were "having some successes" in decrypting the data and analyzing the code. He would not say whether encryption experts from the National Security Agency were among those assisting the investigation.

"I would just say federal folks who typically work in the labs with us [are helping out]," he said.

The lab had begun to restore limited e-mail usage for workers on Tuesday afternoon, but employees were still being prevented from sending or receiving attachments.

It's not the first time the lab has been breached through spear phishing. In 2007, a similar attack allowed hackers to access a nonclassified database at the lab and gain access to thousands of names, Social Security numbers and birth dates belonging to anyone who had visited the lab between 1990 and 2004.

In that case, the attackers sent a variation of seven different e-mails to workers, including one purporting to discuss an upcoming scientific conference. Some of the emails contained malicious attachments, while others directed employees to click on an embedded link, allowing the attackers to install keystroke-logging programs and other malware onto employee computers. The attackers were ultimately able to exfiltrate gigabytes of data.

"Obviously we got a little bit more smarter about it and we were able to detect it and minimize the exfiltration this time around," Zacharia said.

The lab, along with its sister lab, the Idaho National Laboratory, was recently implicated in U.S. government efforts to sabotage Iran's nuclear program. In January, the New York Times revealed that the Idaho lab helped find vulnerabilities in Siemens control system software in order to infect systems at Iran's Natanz nuclear plant with the malicious Stuxnet worm.

The worm was designed to destroy centrifuges operating at the Natanz plant in order to thwart Iran's production of enriched uranium. The article disclosed that in 2003, as part of the plan to target Natanz, the Oak Ridge lab obtained a cache of centrifuges that match the model used at Natanz. The goal was to study the centrifuges for vulnerabilities so that the U.S. and Israel could destroy them.

Asked about his lab's possible role in researching and developing the Stuxnet attack, Zacharia said he didn't have any information and would have to look into it.

Photo of Oak Ridge National Laboratory campus courtesy of U.S. Department of Energy