working from overseas via the Internet penetrated sensitive U.S. Government computer
Hacking U.S. Government
Computers from Overseas
Foreign-based hacker groups working via the
Internet have had substantial success breaking into U.S. Government and defense contractor
computer systems holding sensitive but not classified information. There is one publicly
known case in which computer break-ins from overseas were sponsored by a foreign
Three Germans in Bremen, West Germany were
hired by the Soviet KGB during 1986-1989 to hack into U.S. Government systems. They
penetrated Pentagon systems, NASA networks, Los Alamos National Laboratories and Lawrence
Berkeley Laboratories. They were detected by Clifford Stoll, at Berkeley, when he checked
out minor discrepancies in the account billings. Stoll later wrote the popular book, The
Cuckoo's Egg, about the case. The three hackers were arrested and convicted of
The following three cases also show the
ability of hackers overseas to penetrate protected domestic U.S. systems via the Internet.
In these three cases there was some suspicion of possible foreign intelligence
involvement. This could not be confirmed, but also could not be ruled out. Enterprising
foreign hackers could collect this information on their own and then sell it to a foreign
intelligence service, or a foreign service could sponsor the same kind of operation
Into Navy Systems
In July 1995 computers in several states and
Mexico reported intrusions originating from Harvard University. The hacker apparently
lifted user IDs and password information from accounts on a system administered by the
university. The U.S. government became concerned in August when an intrusion was detected
on a network operated by the U.S. Naval Command, Control and Ocean Surveillance Center
(NCCOSC). The intruder broke into the NCCOSC computer and installed sniffer programs to
capture the IDs and passwords of legitimate users, and other software that would allow him
to alter or destroy network files or to make them inaccessible to users.
After attacking a site in Taiwan, the
intruder was monitored while "chatting" on the Internet, using the name Griton.
Griton was traced back to Argentina where the moniker was known by Argentine authorities
as a computer pirate who specialized in hacking, cracking and phreaking. The subject was
soon traced to Buenos Aires and identified as Julio Cesar Ardita, then a 21-year-old
student in Buenos Aires at the University of Argentina.
According to news reports, this hacker gained
access to a host computer at the Army Research Lab in Edgewood, Maryland; the Naval
Research Laboratory in Washington; the California Institute of Technology in Pasadena,
California; and the NASA Jet Propulsion Laboratory. Victim sites include 62 U.S.
government, 136 U.S. educational, and 31 U.S. commercial facilities. The U.S. Navy, NASA,
and Department of Energy's National Laboratories were high on the list of frequency of
Ardita was served a warrant and his computer
was seized. He admitted responsibility, but claimed he was guilty only of mischief. He was
arraigned in December, 1995. The U.S. Department of Justice filed criminal charges against
Ardita. Prosecution in the U.S. was initially frustrated by the fact that computer crime
is not covered by international agreements for extradition. In December 1997, Ardita
agreed to come voluntarily to the United States and plead guilty to unlawfully
intercepting electronic communications over a military computer and damaging files on a
military computer. In return for Ardita's agreement to come voluntarily to the
United States, he is being sentenced to only three years probation and fined $5,000.1
Although he hacked into important and
sensitive government research files on satellites, radiation, and energy-related
engineering, Ardita is not accused of obtaining classified information related to national
security. To counterintelligence analysts, the hacker's selection of targets and subject
matter suggested a well-defined intelligence collection tasking, but foreign intelligence
involvement has not been established. If a foreign intelligence service was involved, it
is impossible to know which one, as many countries might have been interested in the
information Ardita collected.
The Ardita case was the first time a
court-ordered wire tap was used for real-time monitoring of an unknown subject to catch a
computer criminal. It demonstrates the ability to chase and identify an international
Air Force Rome
Development Center Break-In
Two young British hackers, Richard Pryce, age
16, and Mathew Bevan, age 21, broke into U.S. military computer systems. Pryce, who was
identified and charged in 1995, allegedly obtained access to files on ballistic weapons
research and messages from U.S. agents in North Korea during a 1994 crisis over inspection
of nuclear facilities in North Korea. The penetrations were carried out over a period of
Bevan, an information technology technician,
was charged in 1996 with conspiracy to gain unauthorized access to computers. Pryce used
the on-line nickname of "Datastream Cowboy" while Bevan identified himself as
"Kuji." Kuji was tutoring Datastream in his attempts to break into specific
systems. According to news reports, investigators suspected the older culprit of being a
Pryce and Bevan broke into the Rome Air
Development Center, Griffiss Air Force Base, NY, and before authorities became aware of
their presence (five days later) they had penetrated seven systems, copied files including
sensitive battlefield simulations, and installed devices to read passwords of everyone
entering the systems. Rome Air Development Center was used as a launching pad for more
than 150 intrusions into military, government and other systems including NASA and
Wright-Patterson Air Force Base. Large volumes of data were downloaded from penetrated
systems. One such data transfer (which was being monitored) involved the downloading of
files from the Goddard Space Flight Center to an Internet provider in Latvia. In order to
prevent the loss of sensitive data, the monitoring team broke the connection.
In one of these break-ins, Pryce used Rome to
access a Korean facility. According to media reports, "For several anxious hours
[U.S. authorities] didn't know whether the intrusion was into a North or South Korean
system. The concern was that the North Koreans would trace an intrusion coming from the
U.S. and perceive it as an aggressive act of war." The penetrated system turned out
to be the South Korean Atomic Research Institute. The two were arrested after a long
investigation by the Air Force Office of Special Investigation and New Scotland Yard.2
Dutch Teen Hackers
A group of Dutch teenagers penetrated
computer systems at 34 U.S. military installations during 1990-91. They gained access to
information on personnel performance reports, weapons development, and descriptions of
movement of equipment and personnel. The systems penetrated included the Naval Sea Systems
Command, the Army's readiness system at Ft. Belvoir, Virginia, and the Army missile
research lab at Aberdeen, Maryland.
At least one penetrated system directly
supported U.S. military operations in Operation Desert Storm prior to the Gulf War. They
copied or altered unclassified data and changed software to permit future access. The
hackers were also looking for information about nuclear weapons. Their activities were
first disclosed by Dutch television when camera crews filmed a hacker tapping into what
was said to be U.S. military test information.
According to an ABC News report, the Dutch
hackers had been operating for at least a year reading sensitive information about
military plans and operations. Documents obtained by ABC indicate that hackers got so much
information about the Patriot Missile that they had to break into several other computers
just to find a place to store the data. At one point the intruders shut down computers in
Wisconsin and Virginia which were later used to mobilize troops for Desert Storm.
Information was gathered on the Patriot rocket launching system, the Navy's Tomahawk
cruise missile, and on the call up of military reserves for the Gulf War. The search words
the hackers were particularly interested in were "military," "nuclear"
and "Desert Storm" or "Desert Shield."
Many of the computer penetrations originated
in Geldrop, Holland. At the time, investigators suspected the hackers could have been
freelance spies looking for information to sell to the KGB or Iraqi intelligence, but no
evidence of foreign intelligence service involvement has been found.3
Related Topic: Computer Vulnerabilities
1. The Washington Post, March 30,
1996, "Argentine, 22, Charged with hacking Computer Networks;" The
Washington Post, May 20, 1998, "Argentine Pleads Guilty to Hacking U.S.
Networks;" Associated Press, "Argentine Computer Hacker Agrees to Surrender,
says US Attorney," Detroit Free Press, Dec. 7, 1997.
2. USA Today, March 23, 1996, "Hacker Pair Illustrates
Pentagon's Vulnerability;" and The Toronto Star, April 12, 1998, "How
Datastream Cowboy Took U.S. to the Brink of War."
3. ABC News, "World News Tonight" with Peter Jennings,
April 25, 1991. John Markoff, "Dutch Computer Rogues Infiltrate American Systems with
Impunity," The New York Times, April 21, 1991.