pixel_dreams - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Department of Energy latest victim of a government data breach

The U.S. Department of Energy became the latest government cyberattack victim after a report disclosed the agency had suffered more than 1,000 cyberattacks in a four-year span.

The U.S. Department of Energy recorded attacks against its computers 1,131 times during the four years ending Oct. 3, 2014, with attackers gaining access to those computers 159 times, according to records released in response to a Freedom of Information Act request from USA Today. The latest government data breach included 53 successful root exploits.

Andrew Gumbiner, spokesman for the Department of Energy (DOE), said in a prepared statement that "[I]n 2013, DOE experienced two significant intrusions, which led to the potential loss of personally identifiable information (PII) of former and current DOE employees and contractors."

It was unclear whether those intrusions were documented in the released records.

Gumbiner said the DOE would not comment on ongoing investigations or possible attributions of malicious activity, but indicated there is an investigation ongoing.

"In all cases of malicious cybersecurity activity, the Department of Energy seeks to identify indicators of compromise and other cybersecurity relevant information," Gumbiner said, "which it then shares broadly amongst all DOE labs, plants and sites, as well as within the entire federal government."

The DOE Office of Science, which is the lead federal agency supporting fundamental scientific research for energy, and which has responsibility for 10 of the 17 DOE laboratories, sustained 255 attempted attacks of which 90 became successful intrusions, including 28 root exploits.

DOE headquarters systems were targeted most frequently, recording 432 attempts, of which only 13 were successful, including only five root exploits.

Systems in the National Nuclear Security Administration, whose mission includes responsibility "for enhancing national security through the military application of nuclear science," recorded 113 attempts and 19 successful exploits, of which 6 were root exploits.

It is difficult to draw any conclusions from the information reported, which included only the date and time, category -- type of attack and whether it was successful or not -- DOE program office targeted and the status -- either closed or open -- of each attack.

"Without knowing what each department had in place or what each actor was targeting in each office, it's hard to say anything conclusive. That said, it probably indicates the actors encountered differences and variable periods from resource to resource in each office," said Jason Polancich, founder and chief architect of SurfWatch Labs Inc., based in Sterling, Va.

Polancich also suggested that the successful attempts may only be the ones they know about or were able to prove, and there is likely more to be found with more digging.

"The report underscores just how immature our government is when it comes to cybersecurity expertise, defense and budget," Polancich said. "It's likely we could go into any other government department and probably find similar statistics or even something worse, unfortunately. Cybersecurity is not part of their core concerns and certainly not their expertise. Cyberdefense across business and industry is pretty dismal, and this is another big pile of evidence that points to that sad fact."

Next Steps

Learn more about which cyberattacks are worth worrying about.

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What proportion of cyberattacks against your organization were successful in the past four years?
Fortunately, none. Not that our security is that tight, just that we're far too small and uninteresting to warrant an attack. I hope....
ncberns, perhaps that's true but still a very scary place to put your faith! However, unless a hacker's intent is to purely cause destruction, the only real requirement for an organization to be a likely target of advanced attacks , is that you collect private information beyond basic names and addresses. If you accept customer payments for goods and services or you keep payroll and/or application data...well,  in that case, your company "taste like chicken" to hackers, just like any of the other financial institutions, health care systems , or government bodies  that have been their bead and butter as of late , or rather their "other white meat" that represents most of the high profile breaches we see in the headlines today. The only difference now if there is just TOO MUCH low lying fruit for these hackers to go after!!! And these aren't small organizations, they are very large , one stop shop for criminals to obtain all types of private personal info from your soc # to your credit card info.

Now, once these targets above get their acts together, then the second tier and third tier targets will have their day in the spotlight...unfortunately it may be even worse for them. This is because unlike billion dollar multi-national corporations , not only will the financial cost of these breaches cause more damage in smaller companies, but due to tightening regulation and increased legal awards for data breach victims, the effects on these 2nd and 3rd tier companies could be devastating. I wouldn't be surprised at all to see some of these still very large, well known companies, to actually go into bankruptcy or some other financial default as a result of an advanced attacks like the ones we have witnessed at Sony Pictures, Target, Home Depot, Premera, OPM, ect...I'm afraid no one is safe from these attacks, at least not in the long run. 
Interesting, @Gallavin. I also have to wonder how many attacks are going undetected entirely -- especially among smaller businesses which may have minimal resources or even awareness of what steps to take to secure their networks as well as their online presence.
Yet again, yet again. I'm beginning to think we're far less clever than we think we are. We're so busy building bullet-proof doors that we can't see the bad guys walking right around them. Our solution...? Patch the holes and do it better next time. 

While repeating the same thing and expecting different results probably isn't a sign of insanity (sorry Dr. E) , but it sure is stupid and apparently useless, too.