Tommy Stiansen, CTO of Norse, said McCallum is correct, "given the information I can get from the Internet, I'm personally sure."
"The DoE server, their Linux box, tells me they're not security minded," he said. "The box is outdated, not hardened and there is not adequate security in front of it."
And he said the names of employees and contractors were easily available, "which can be used in numerous ways by hackers to gain more information. Nobody should have personal accounts facing the Internet," Stiansen said.
However, while the DoE is a prime target for hostile nation states, both experts doubt that this attack caused any major immediate damage, either to the agency or its employees.
If it was a traditional cyberattack, Murray said employees would be at greater risk. But from a nation-state or an activist group like Anonymous, "the impact of [personall identifiable information] exposure is minimal," he said.
Arlen said if the attackers were able to get classified information (which the DoE has reportedly denied), it could be significant. "If it is espionage, with the outcome being a more traditional physical attack with either advanced knowledge of weaknesses or advanced knowledge of weapons," then it could be serious, he said.
Regardless, the attack should prompt the DoE to get much more serious about security, the experts agree. Arlen said it comes down to "doing the basic stuff correctly."
"Have preventative controls on information assets," Arlen said. "Lock it up, disconnect it, treat information like toxic waste and sequester it with appropriate technologies. Use detection controls -- reduce complexity, simplify network design, introduce appropriate choke points, do behavioral analysis on information flows, be vigilant."
"And stop relying on technologies, techniques and training which are obviously not working," he said. "Assemble the cyber special forces -- why are the best-of-the-best infosec people not on call for issues like this?"
Dominique Karg, chief hacking officer at AlienVault, said "the solution is right in front of their noses and it's cheap as hell."
"It just requires three things," he said. "First, it requires their arrogance to go down. They need to acknowledge that the government/military is no longer best in breed at this particular type of warfare. Second, it requires increased respect for those who do know. Government jobs don't pay the six- to seven-figure salaries that security jobs at public companies in Silicon Valley pay. And even if someone said 'Screw it, I'm doing this for my country,' he'll get back to the private soon enough after being sneered at by everyone and being labeled as the 'printer fixing guy'. Finally, they need to accept outside help."
"There are people who want to help, for free. Let them," Karg said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Sign up for CIO Asia eNewsletters.