The national laboratory that may or may not have played a supporting role in the Stuxnet cyberattack on Iran’s nuclear facilities has been hacked, officials said yesterday, and facility-wide Internet access was cut Friday to stop data from flowing out of the lab. Oak Ridge National Laboratory, located in Tennessee, only lost a few megabytes of data. But it’s unclear what data was stolen, and even less clear where it went.

The attack was sophisticated, ORNL’s deputy director said, akin to the attacks that hit Google last year and security firm RSA just last month. The malware got inside through a pretty standard spear-phishing scheme in which an email posing as a note from human resources linked users to a malicious Web page that installed malware to their terminals.

Of 530 emails sent (out of about 5,000 total workers) only 57 users clicked through. From those, only two machines were actually compromised. But that was enough. On April 11 admins noticed a server was breached when data began flowing outward, but they were able to quickly head that attack off and disinfect the server. But apparently another set of code was laying dormant elsewhere in the system, and on Friday evening it began exfiltrating data from a number of servers.

That’s when ORNL security pulled the plug on the Internet. As of yesterday, limited email has been restored for ORNL workers, but the investigation is ongoing. Given that cybersecurity is one of ORNL’s research foci, the attack could be construed as ironic. Or it could be construed as a security success, given that very little data actually made it off the ORNL servers before the breach was detected and the plug pulled.

Still, someone–and investigators, at least publicly, say they have no idea who–got inside. Considering ORNL also researches nuclear technology and dabbles in other classified areas alongside its better-known unclassified work, that’s more than a little worrisome.

Threat Level