Cyber Incident Victim: Argonne National Laboratory
Date:
Jul 2015
Location:
United States of America
Summary
Pro-ISIS hackers breached a subdomain of Argonne National Laboratory, defacing the website with their insignia, an Arabic prayer, and a message alluding to an impending conflict. The compromised subdomain, part of the Laboratory Computing Resource Center, remained under attacker control when reported. This incident followed similar defacements of Georgian government and NATO-affiliated sites, alongside several Italian government domains including AIRO 2015 and the National Research Council’s Engineering Department. The group’s activities align with broader patterns of high-profile cyber intrusions attributed to pro-ISIS actors targeting governmental and institutional websites.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 9, 2015, pro-ISIS hackers compromised a subdomain of Argonne National Laboratory's website, specifically targeting the Laboratory Computing Resource Center (LCRC) at lcrc.anl.gov. The attack involved defacement of the subdomain, replacing legitimate content with a page displaying an ISIS logo, a background Arabic prayer, and a message referencing an impending war. This mirrored the hackers' previous defacement of the State Ministry for Euro-Atlantic Integration of Georgia's NATO-affiliated website just one day prior. The compromised Argonne subdomain remained under attacker control at the time of public reporting, rendering the LCRC's web presence inaccessible for its intended purpose. Argonne National Laboratory, operated by the U.S. Department of Energy's Office of Science, conducts research in energy storage, national security, and environmental systems, though the hack specifically impacted only the LCRC subdomain's public-facing web interface.
The incident formed part of a broader campaign by pro-ISIS actors targeting governmental and institutional websites. Concurrently with the Argonne breach, the same group defaced multiple Italian government domains, including websites for the AIRO 2015 robotics workshop and the National Research Council's Engineering Department. This pattern followed earlier high-profile cyber operations attributed to pro-ISIS actors, notably the April 2015 takeover of French network TV5Monde's broadcasts and digital platforms, initially claimed by the Cyber Caliphate group. While French investigators later suggested potential Russian state-backed involvement (APT28/Pawn Storm) in the TV5Monde incident, the Argonne attack exhibited characteristics consistent with ideological defacements rather than sophisticated intrusions. The breach prompted no disclosed operational disruptions to Argonne's research functions, with impacts confined to the temporary unavailability of the LCRC subdomain. Europol had initiated targeted operations against pro-ISIS online activities in June 2015, though no specific remediation actions related to the Argonne compromise were detailed in available reporting.