The obvious answer is to steal nuclear secrets, since the agency's National Nuclear Security Administration (NNSA) department is in charge of managing and safeguarding the country's nuclear arsenal. According to security experts, the agency's laboratories, where the most sensitive work takes place, have long been targeted by attackers.
But the breach of the DOE headquarters network in mid-January, which was disclosed in a Friday memo to employees, appeared only to result in the theft of personally identifiable information (PII) pertaining to a few hundred of the agency's employees and contractors. Although a related investigation by the DOE and FBI remains underway, the memo noted that the findings to date indicate that "no classified data was compromised."
[ What is the government doing to crack down on cyber break-ins? Read FBI Expands Cybercrime Division. ]
Why would attackers target PII for agency employees? Here are six reasons -- some more likely than others -- why attackers might have come gunning for employee data:
1. Spies Seeking Nuclear Secrets
The story of the DOE breach was first reported by the Washington Free Beacon, which noted that the NNSA manages, secures and designs the country's nuclear arsenal. But it offered no evidence that the NSSA was targeted, and again, the DOE said its investigators found no evidence that attackers accessed any classified information.
Other news outlets trumpeted that China was a possible suspect in the attacks, which isn't news -- and hasn't been substantiated. Furthermore, if a foreign government was involved, there are many more candidates than just China. "China is the noisiest -- the government officials who are fully briefed in on the threat will tell you that several other countries' cyber attacks are equally worrisome but much more clandestine," said Alan Paller, director of research for the SANS Institute, via email.
2. Intelligence Services Out To Catalog Real Identities
If a foreign intelligence service was behind the attack, then it was likely meant to gain a foothold in the DOE's network, and then allow attackers to spread malware to other DOE systems. Alternately, the information could be used for more hands-on types of espionage. "Let's suppose the hackers were from China," said Sean Sullivan, security advisor at F-Secure Labs, via email. "In that case, they may very well be interested in the PII to facilitate real-world spying -- a lot of which still goes on. You need to know names and addresses in order to target somebody with a seductress."
3. Prepping Spear-Phishing Attacks
Or, the personnel information could be used to create more personalized spear-phishing attacks. These use emails that appear to be legitimate to trick users into opening malicious attachments, which then infect the targeted system and allow data to be stolen from the PC, as well as use the infected system as a springboard for infecting other servers and PCs.
Thanks to modern-day crimeware toolkits, attackers can repack their malware to vary its appearance, thus helping to bypass signature-based antivirus defenses. In the attack against The New York Times that came to light last week, for example, attackers launched 45 malicious files at newspaper PCs over a three-month period, and only saw one piece of malware get stopped and blocked by the Symantec antivirus software used by the Times.