The attacker used an Internet Explorer zero-day vulnerability that Microsoft patched on April 12 to breach the lab’s network. The vulnerability, described as a critical remote-code execution vulnerability, allows an attacker to install malware on a user’s machine if he or she visits a malicious web site.
According to Zacharia, the intrusion came in the form of a spear-phishing email sent to lab employees on April 7. The e-mail, purportedly sent from the human resources department, discussed employee benefits and included a link to a malicious web page, where malware exploited the IE vulnerability to download additional code to users’ machines.
Oh come on. Well, at least they’ll learn their —
It’s not the first time the lab has been breached through spear phishing. In 2007, a similar attack allowed hackers to access a nonclassified database at the lab and gain access to thousands of names, Social Security numbers and birth dates belonging to anyone who had visited the lab between 1990 and 2004.
How could you -–
“One of our core competencies at the lab is cybersecurity research,” Zacharia said.
Right then.