News & Analysis Physics World  June 2021

Ethical hackers worm their way into Fermilab

Access all areas The Sakura Samurai group of ethical hackers infiltrated Fermilab’s data systems with the knowledge of the lab’s managers. (Courtesy: Fermilab/Reidar Hahn)

A group of “ethical hackers” has obtained access to sensitive systems and proprietary online data hosted by the Fermi National Accelerator Laboratory in the US after accessing multiple unsecured entry points in late April and early May. The group – Sakura Samurai – discovered configuration data for the lab’s NoVa experiment and more than 4500 “tickets” for tracking internal projects. 

The Sakura Samurai team has previous experience probing the vulnerabilities of scientific and educational organizations, which hold critical information that if leaked could put those institutions at risk. “Fermilab was no different,” Sakura Samurai leader Robert Willis told Physics World. “Oversharing can be very dangerous, especially when it’s sharing credentials that could enable a malicious actor to take over a server with the potential to move across their network to access items that the organization wouldn’t even think of being vulnerable.” 

The hacking team targeted Fermilab because of its openness and the size of the lab. The hack was performed with Fermilab management’s knowledge so that they could “lock down” critical information before it was performed. “[Fermilab] seemed interesting as it has a vulnerability disclosure programme and is also a physics lab with lots of machinery and a half-billion-dollar grant,” adds Willis. “That would make it very attractive to a threat actor looking to ransomware their assets to hold them hostage.” Indeed, the hacking team found its effort time-consuming owing to Fermilab’s basic openness. “Some findings were without a doubt critical and didn’t need verification from Fermilab. But other findings relied on communications with Fermilab to verify,” Willis says. 

Nevertheless, the ethical hacking group found the hack to be relatively simple, with many of the findings emerging with manual methods and basic tools that allowed them to navigate the file structure to find open ports and services. “We may very well have saved Fermilab from a future ransomware attack, considering a set of credentials would have given us the proper access to infect a server, and go from there,” says Willis, who adds that once lab managers were informed of the security issues they responded quickly. “The lab handled the situation very well and fast,” says Willis. “From initial contact to their internal verification and remediations, the entire process was under two weeks.” 

Fermilab spokesperson Tracy Marc notes that the lab “takes all reports of cybersecurity vulnerabilities seriously, and we are continuing to review the matter”. She denies any concern that experiments could be vulnerable to unethical hacking that could change results, because, she says, their data are “made available through controlled authorization and access methods”. 

Willis claims that many of the hacks on large organizations happen because of a lack of understanding of what hackers can do. That can be problematic for managers of organizations like Fermilab that have a culture of sharing. “Treat all publicly accessible information as if someone wants to do something malicious with it,” says Willis. “Providing the wrong sensitive information can put not just one asset, but everything, at risk.”

Peter Gwynne

Boston, MA