U.S. Energy Department Hack Details

  • 30 August 2013
  • 1 reply
  • 974 views

Userlevel 7
  • Retired Webrooter
  • 1581 replies
The U.S. Department of Energy was hacked back in February, which we reported on, and then again in JulyNew information has now become availble about the July hack.
 


 
From InformationWeek:
According to an email sent to all DOE employees on Aug. 29, information on 2,532 current employees, 3,172 former employees and seven employees on leave was stolen in the breach, which occurred in July. "The sensitive PII data compromised was limited to names, dates of birth and social security numbers," the internal memo stated. The stored information did not include banking, credit card or clearance information, according to the memo, which said that no information related to agency contractors had been compromised.

Originally, the agency stated the breach affected 14,000 employees.  Affected employees may be out of luck if their identities have been stolen.  The DOE has offered no related advice or services to its employees beyond pointing them to an FTC pamphlet called "Taking Charge: What To Do If Your Identity Is Stolen."
 
While the employees themselves certainly have something to worry about, so does the DOE.  They use what sounds like a single-sign-on system that has logins consisting of - you guessed it - names and social security numbers.

 
According to DOE sources, the problem of insecure systems that contain PII is widely known at the agency but difficult to change since more than 1,000 systems tap DOEInfo, which maintains a single user ID for each employee, tied to employee access permissions. "Our logins still use our initials and parts of our SSN (duh), who would think that was good enough in the first place?" one source said in an email message." Complaining doesn't help. The answer is always, it costs too much to redo our PII."
 
That doesn't mean those are the only components of the logins, but if there is any convention to the login creation system, it wouldn't be too difficult to figure out what a lot of the logins are.  Obtaining a possibly-commonly-used password for a DOE employee could potentially be as simple as using the social security number to obtain the password from a personal account and trying it on the DOE systems.
 
The attack itself exploited an out-of-date ColdFusion-based application.  It serves as a good reminder for the need to update your apps.

 
As we've mentioned before, it really wouldn't hurt for the DOE to layer on the Webroot Intelligence Network.

1 reply

Userlevel 7
The following article is a update:
************************************
US Energy Department's systems breached 159 times in four years.
 
Posted on 10 September 2015.The US Department of Energy (DOE) has had its computer systems successfully breached by cyber attackers 159 times in four years, USA Today reports.

The US DOE is responsible, among other things, of the nation's nuclear weapons program, energy conservation, radioactive waste disposal, and domestic energy production. It also sponsors much (energy-related and not) research, most of which is conducted through its system of National Laboratories.

The publication has submitted a FOIA request fo the Department, and has received a document that, admittedly, does not provide much concrete information about the attacks, as that information has been redacted.

What can be gleaned from it is that, between October 4, 2010 and October 3, 2014, the Department of Energy has been targeted 1,131 times. Of that total, attackers successfully gained user access 106, and root access 53 times. full article

Reply