JLab Targeted in Cybersecurity Test
Kent Paschke
David Bianco (left), security analyst, and Bob Lukens, computer security manager, review information to help them identify and foil various types of cyber attacks.

Just after 10 a.m. on May 21, several hundred Jefferson Lab computer account holders received a suspicious e-mail. The e-mail appeared to contain a link to a special training procedure each person needed to complete to hold a type of Department of Energy badge. Within minutes, the JLab cybersecurity team was inundated with phone calls, e-mails and office visits regarding the e-mail.

The e-mail was part of a so-called "Red Team attack" on the lab. The attack had been sanctioned by DOE as a test of the cybersecurity programs at JLab and several other national labs.

"The e-mail looked very official and very compelling, like this was official DOE business just for lab staff. But if you looked closely at the address of the link that you were going to, the final word on the main part of the URL was '.net' rather than '.gov,' and this is characteristic of somebody who's passing off a link that they've established, wanting you to think that it's actually an official link," explains Bob Lukens, Information Technology Division computer security manager. "This is what is known as a spear-phishing attack."

Spear-phishing is the newest type of social engineering attack and is very similar to the more familiar "phishing" scams that e-mail account holders have gotten used to. In an ordinary phishing attempt, an e-mail scam message is blindly sent out to e-mail address holders. In a spear-phishing attack, the scam is targeted to a particular group of people or even specific individuals. In this case, e-mail account holders at several national labs were targeted.

Spear-phishing E-mail Attack Made to Seem Real
This was the test spear-phishing attack message sent to hundreds of computer account holders at Jefferson Lab and other national labs on May 21.

Subject line: HSPD-12 Identification Briefing

As identified by Executive and Department of Energy (DOE) orders, all DOE and National Nuclear Security Administration (NNSA) Federal and contractor employees, and other government agency personnel detailed to the DOE, regardless of their security clearance status, will be participating in the switch to the new HSPD-12 badge system. The DOE HSPD-12 Identification Briefing (HIB) is being provided to instruct DOE Federal and contractor employees on the appropriate identification methods provided by the new HSPD-12 compliant badge, including the new badge markings for each clearance level.
Upon successful completion of the DOE HIB, your electronic records will be updated to reflect completion of the briefing. Please print the Certificate of Completion at the end of the briefing and keep it for your records.
You should access this training through the DOE Online Training Center at the following website.

EMPLOYEES RECEIVING THIS NOTICE ON MAY 21 ARE REQUIRED TO COMPLETE THIS BRIEFING NO LATER THAN COB MAY 23, 2008.

"It was actually a copy of a legitimate DOE website and a DOE e-mail that went out to users at other facilities some time ago," says David Bianco, security analyst.

As soon as the cybersecurity team was notified of the e-mails, they took action. "Within minutes of receiving the first notification, we had blocked the outgoing link that people might click on. And minutes later, we had a mail filter in place, so that we would be blocking incoming messages that had the same content. E-mail delivery is fast and in the end, there were about 380 messages delivered to people onsite," Lukens says.

Of those, some did click the link in the e-mail, and a few submitted information to the fake website. These actions could have exposed an account holder's computer to a downloaded virus or malware. This time, no harm was done. But JLab's cybersecurity team warns against falling for future spear-fishing e-mails.

"If it looks like something that may be legitimate, but you think it's a scam, you can forward it to the Help Desk. But if it looks like a scam, it's probably a scam," Bianco says. He also recommends not clicking on a suspicious link to investigate, since this action alone could trigger a download of malware or falsely indicate that an account holder has been suckered into a potential scam. A far safer policy is simply to forward the e-mail to the Help Desk (helpdesk@jlab.org).

Meanwhile, Lukens credits JLab's e-mail account holders for their quick response to the suspicious e-mail.

"It was really the e-mail account holders that responded very quickly that helped us rapidly detect this problem and respond appropriately. So the users have done a good job on this."

For more information on how to identify and thwart a spear-fishing attempt, visit http://www.sans.edu/resources/securitylab/spear_phish.php

By Kandice Carter
JLab science writer