Alert on screen showing hacktivists employee data breach of nuclear lab

Furry Hacktivists Breached Nuclear Lab and Stole Employee Data

The Idaho National Laboratory (INL) has confirmed that employee data was leaked after a group of pro-Russian hacktivists breached one of its information systems.

On November 20, 2023, the politically-motivated hacking group SiegedSec said it breached the INL nuclear lab and stole “hundreds of thousands of user, employee, and citizen data.”

INL is among 17 nuclear labs operated by the U.S. Department of Energy and is part of the nation’s critical infrastructure.

Spanning over 890 square miles, the 70-year-old lab employs over 6,100 researchers and support staff to run over 50 nuclear reactors. It also studies advanced nuclear and energy concepts, including hydrogen production and renewable energy, such as geothermal power and biofuel.

The lab is also a testing ground for other concepts, such as energy security, power grid reliability and resiliency, cybersecurity, and national security. It boasts of an “unparalleled cybersecurity experts” team to monitor, train, and research the “security of everything.”

Hacktivists accessed Idaho nuclear lab’s employee data

Per the group’s posting, the leaked employee data includes full names, dates of birth, email addresses, phone numbers, physical addresses, Social Security Numbers, bank account information, marital status, and employment information.

The hacktivists also published screenshots of the allegedly stolen employee data and internal tools, suggesting deep entrenchment in the lab’s computer network.

Apparently, the employee data breach did not leak nuclear secrets or intellectual property information. Still, revealing the identities of top nuclear energy researchers puts them at risk of targeted attacks.

“There appears to be some controversy about whether the threat actor group who stole the data is at all politically motivated,” said Colin Little, Security Engineer at Centripetal. “I find this question to be irrelevant, because now those who are politically motivated and would very much like to know the names and addresses of the top Nuclear Energy researchers in the US have that data as well.”

According to Lior Yaari, CEO and co-founder of Grip Security, the employee data is invaluable to adversaries interested in penetrating DOE’s national laboratories.

“The data can be used to blackmail or create campaigns that are even more targeted, and increases the chances that staff will be compromised. The lab needs to do a comprehensive review of its security system to get to the bottom of this breach and make sure this does not happen again,” said Yaari.

Without attribution, the nuclear lab investigated the alleged data breach and confirmed that the hacktivists compromised a third-party vendor system which supports its human resources applications.

“Earlier this morning, Idaho National Laboratory determined that it was the target of a cybersecurity data breach, affecting the servers supporting its Oracle HCM system, which supports its Human Resources applications. INL has taken immediate action to protect employee data,” INL told East Idaho News.

Oracle’s Human Capital Management (HCM) is a federally-approved vendor system for managing employee data.

“Oracle Human Capital Management is an application under the Oracle Fusion Cloud SaaS suite which is listed on the FedRAMP Marketplace with an agency authorized Authority to Operate (ATO),” said Corey Brunkow, Dir of Eng Operations, “This SaaS has been provided authorization to operate by at least 5 separate Authorizing Agencies after going through an extensive and expensive FedRAMP process.”

Brunkow warned that 10 other agencies were at risk, highlighting the weaknesses of “US Government’s over-reliance on exhaustive check-list based compliance and security theater through documentation.”

Oracle, an Austin, Texas-based tech colossus, has yet to disclose the attack vector or possible mitigations to protect other HCM users.

According to INL spokesperson Lori McNamara, the Idaho nuclear lab was in touch with the Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency (CISA) to investigate the breach and understand its scope.

So far, the Russian hacktivists have not disclosed how they breached INL, although they typically employ SQL injection and cross-site scripting (XSS) attacks.

Similarly, the reason for targeting INL remains unknown, although Russia has previously targeted numerous US labs in cyber espionage campaigns, including Argonne, Brookhaven, and Lawrence Livermore National Laboratories.

Hactivists involved in numerous high-profile data breaches

SiegedSec emerged shortly after the Ukraine invasion in February 2022. Identifying as “gay furry hackers,” the group is led by “YourAnonWolf” and consists of young members with a cringeworthy sense of humor and profanity.

Unsurprisingly, the hacktivists offered to pull down the data breach announcement if the Idaho nuclear lab researches “creating irl catgirls.”

Despite their juvenile antics, SiegedSec hacktivists are experienced data thieves with numerous high-profile breaches under their belts. They target public administration, professional services, retail, manufacturing, and information technology. This year alone, the group has claimed two NATO data breaches that leaked thousands of records.

In July 2023, SiegedSec breached NATO’s Communities of Interest (COI) Cooperation Portal and stole 845 MB of compressed data, 700 documents, and 8,000 employee records in retaliation for the military alliance’s alleged human rights abuses.

In October 2023, SiegedSec also allegedly breached NATO and stole 3,000 documents and 9 GB of data. The Russian hacktivists have also attacked state government websites in Texas, Pennsylvania, South Carolina, Nebraska, and South Dakota.