Cybersecurity concepts and applications

Cybersecurity

Recent Case Studies of Cybersecurity Breaches in the United States: The Event, the Method, and the Response

The Russian (?) Moonlight Maze Attack

Perhaps one of the most infamous cyber-attacks on the United States occurred in the late 1990s, codenamed Moonlight Maze by the FBI investigation team that evaluated the extent of the infiltration into the Department of Defense by unknown individuals. First detected in 1998, a series of coordinated infiltrations of sensitive U.S. computer networks was conducted (Kitfield, 2000). At this stage, it is still uncertain who conducted these cyber-attacks, though there is some circumstantial evidence linking the attacks to parties based in Russia (Bridis, 2001). As one of the most extensive attacks on data sensitive to the national security of the United States with perpetrators still unknown, Moonshine Maze stands as a testament to the extreme damage that can be wreaked by the concerted efforts of hackers who attack information systems controlled by the United States government.

Moonlight Maze is one of the most significant cyber-attacks in U.S. history. Though the immediate suspects were Russian, there has been no definitive proof that Russia as a nation had anything at all to do with the attacks on the Department of Defense computer systems. It could have easily been civilians in Russia, another nation cleverly obscuring its tracks, or an individual anywhere in the world bouncing through a computer server in Russia before launching the attack (Vistica, 1999; Bridis, 2001). All that is know for certain is that huge quantities of data was extracted from the government computer systems, amounting to millions of pages of downloaded text. The entire email in-box of one colonel was entirely extracted by the hackers. As far as could be immediately determined, no classified information was uncovered by the hackers, though there is plenty of sensitive information to be found on the unclassified systems. Department of Defense computer networks routinely handle records about military logistics, personnel information, emails, and planning. More extreme is the possibility that the unearthed data could include very sensitive information such as classified naval codes and information on missile guidance systems (Vistica, 1999; Drogin, 1999; Bridis, 2001).

The hackers were apparently working from a location in Russia, though this could not be definitively established due to the nature of the infiltration. All that is known for certain is that the hack into Department of Defense computers had been going on for more than a year and that it is entirely unclear how much information was made off with during that time. This is due in part to the fact that in addition to raiding information directly from the Pentagon, the hackers also used that point of entry to enter other sensitive systems throughout the U.S. government. These included networks at nuclear research labs associated with the Energy Department, NASA, and numerous university research facilities (Drogin, 1999). Investigators reiterate that the attackers obtained no known classified information, but the general uncertainty surrounding Moonlight Maze makes this claim dubious at best.

As to the identity of the attackers, investigators had little to go on. Circumstantial evidence seemed to point to a Russian operation probably originating in an office complex somewhere near Moscow. The computers used in the attack were tied to Internet servers about twenty miles outside of Moscow, and the pattern of intrusions suggests someone who worked on the project on weekdays between 8am and 5pm, excluding Russian holidays. This pattern of attack led many investigators to the possible conclusion that the attacks were coordinated and possibly sponsored by a Russian intelligence agency (Drogin, 1999). Whether or not this is actually the case is unclear. After all, as will be clear when we consider some of the methods the hackers employed, it seems relatively careless that they would provide such an easy path back to the actual point of origin of the attacks. It is just as likely that the true attackers bounced their efforts through Russian servers and timed the attacks to make them seem as if they were coming from a geographically localized position. The reality is that even years later, investigators are still uncertain.

The attacks against the United States government systems were apparently coming from a Russian computer system just outside of Moscow. Despite this discovery, no definitive determination could be made that the Russians were actually behind the attack. After all, there could have been someone physically sitting in Russia using computer resources there who was working for an entirely different party. It is also entirely feasible that the attackers simply bounced their efforts off of a computer system in Russia and that investigators were unable to determine the actual point of origin (Interview, 2003). This makes identification of responsible parties and intent incredibly difficult. In either eventuality, a Russian origin or not, the long-range nature of the attacks -- occurring over a period of years -- and the systematic way in which they were conducted suggests supreme planning and organization by the attackers themselves. It is doubtful that those responsible for the cyber-assault were random hackers looking for notoriety or another challenge. It is much more likely that this represents the coordinated efforts of an individual or group with interests that run contrary to the national security of the United States.

While it is unclear who was sitting on the other end of that computer or what their interests were, some information has been reconstructed about the methods and techniques employed by the hackers to gain access to the Department of Defense computer networks. In the spring and summer of 1999, the U.S. Navy first documented the use of low bandwidth attacks by unknown parties, to which they responded with recommended cyber-countermeasures (Drogin, 1999). In the course of the investigation regarding the intensely coordinated and wide-ranging attacks, the FBI unearthed a number of techniques and methods used by the hackers to not only gain access to the systems, but also to cover their tracks quite effectively.

Unfortunately for the national security, the computer networks at the Department of Defense were not effectively protected against cyber-attack at that time. Most of the material taken by the hackers was data that had been cued up to print on a networked printer. This means that it is not behind a secure firewall or not encrypted in any fashion (Interview, 2003). In other words, no matter how securely encrypted or protected sensitive data might have been at the attacked computer networked -- and there's little indication that this was the case -- much of the stolen data was simply taken without any difficulty from storage points at networked printers, the proverbial weak link in the cybersecurity system. Security specialists were convinced that the firewalls between the unclassified and classified sections of the Department of Defense network would have prevented any active mining of classified information, but this is unclear. The extent of the attack is not fully known and, what's more, classified information often makes its way into unclassified systems. By simply sifting through the information that was taken, it could be possible to construct information regarding classified and sensitive data (Vistica, 1999). In short, this attack opened the Department of Defense wide and laid bare many of its most sensitive secrets and documents.

The hackers obscured their presence in the system by using easily obtainable software known as Loki, after the Norse god of mischief. The software cleverly masks infiltrations to make them appear to be nothing more than web browsing by internal users (Bridis, 2001). This makes it more difficult for system administrators and security specialists to even notice that there is a problem occurring. Any attack will simply appear to be regular use by authorized users. Further, much of the attack was automated -- rather than actively check the government system to see if new data had been found and was ready for download, the hackers installed software sensors within the network that would notify the hackers of changes by modifying a private website that was hosted in Britain. Rather than expose themselves to Department of Defense security administrators, the hackers simply checked the innocuous website periodically and then only actively invaded the compromised system when it was absolutely necessary to retrieve newly gleaned information (Bridis, 2001).

As a final testament to the sophistication of this operation, investigators came to believe that the hackers had even gone to such lengths as to install eavesdropping software into university systems as early as 1997. The universities chosen were ones at which some researchers worked on sensitive defense contracts that would give them access to military labs via the Internet. The eavesdropping software allowed these hackers to glean usernames and passwords of these researchers and then pose as them to gain deeper access into government systems (Bridis, 2001). By approaching the government systems in this roundabout fashion, the attackers took advantage of generally less secure university systems and then used the information found there to piggyback themselves into more secure government sites, from which information sensitive to national security could be obtained. The level and sophistication of this attack on the Department of Defense's systems suggests that professionals conducted this attack with significant resources at their disposal and an interest in the national security secrets of the United States. The data mining operation was so successful that, while detected, still managed to make-off with a significant amount of information.

Since the attack, the United States responded in a number of critical ways. Almost immediately upon learning of the threat, the Pentagon required all defense employees to change sensitive passwords, though this requirement was even hacked by the attackers, allowing them to change their tactics accordingly (Vistica, 1999; Bridis, 2001). Other, longer-range responses will hopefully have more success in preventing future attacks such as the Moonlight Maze attack. For instance, the assistant secretary of defense for command, control, communications and intelligence -- Arthur Money -- stated that the Pentagon's primary unclassified computer system was so significantly compromised by the attacks as to render it unusable. Within a few months of discovery of the infiltration of the system, the Department of Defense decided to route all of the communications that previously went through that network through eight large electronic gateways, in the hope that this will make monitoring of traffic and access easier. The Pentagon has also ordered that $200 million be spent on new encryption technology for all systems, including intrusion detection technology, new firewalls, and password encryption (Drogin, 1999). These efforts are designed to cinch up many of the cybersecurity "holes" discovered in the wake of the Moonlight Maze incident. Of course, all of these efforts occurred after sensitive data had already been pilfered over a period of years.

The most usual response of the government, and the ultimate aim of its efforts, has been punitive in nature: track down the offenders and punish them. If the hackers prove to be civilians, then the U.S. government is prepared to fully prosecute them for this intrusion in their systems. if, on the other hand, the perpetrator is found to be another nation, then the government will likely consider a retaliatory cyber-attack against that nation in retaliation. To that end, new offensive protocols have been added to the agency that controls the military's computer systems, and increased funding has been provided for such operations over the coming years (Bridis, 2001). Perhaps, the most significant effect to emerge from the Moonlight Maze incident was increased communication and coordination between various law enforcement and intelligence agencies such as the FBI, CIA, NSA, and others. Up until this point, coordination of information between these agencies had been mediocre at best (Bridis, 2001; Kitfield, 2000).

Moonlight Maze demonstrated how an uncoordinated response would be ultimately ineffective against such a coordinated attack on sensitive military computer systems. This increased cooperation and coordination that emerged after Moonlight Maze, in fact, ultimately led to the Department of Homeland Security in the wake of the September 11th attacks, to further improve inter-agency coordination. Whether or not the enhanced coordination between these agencies as well as the increased security measures at the Department of Defense will deter or help ward off cyber-attacks is, as of yet, unclear.

Case Study #2: Fermilab File-Sharing Fiasco

In June 2002, computer system administrators at the Fermi National Accelerator Laboratory near Chicago, Illinois discovered that an unidentified hacker had broken into the computer system at the laboratory (Van, 2003). This breach of data security was treated with extreme caution and concern. Immediately, the lab issued a full alert and shutdown of the computer systems for three days while determinations could be made as to the extent of the presumed attack. Fermilab is responsible for the integrity of the United States nuclear arsenal. As such, any breach of data security at the lab stands as a significant break of national security. If the case had evolved into an example of malicious hacking or directed terrorism, the results for national security could have been exceptionally disastrous. As the case makes evident, however, this breach of data security occurred for very different reasons that we might ordinarily expect and consisted of no real malicious intent. Nonetheless, the apparent ease with which the hacker was able to exploit a weakness in such a crucial system of the U.S. Department of Energy should give us pause. If this had been a willfully malicious hack of Fermilab, the results for national security could have been extremely adverse.

Technicians at Fermilab first discovered that there might be a problem after noticing that scheduled backups of the system were taking much longer than normal (Goodwin, 2003). Disturbingly, this was apparently the only reason that the breach of security was even noticed in the first place. If it had not been for the fact that hacker in question was actively using Fermilab's system resources for his own purposes, the breach of security might not have ever been noticed. if, for example, the hacker had intended only to access the system and retrieve sensitive data, based on this case it seems questionable whether or not anyone would have even noticed until long after the hacker had left -- if ever.

An investigation coordinated between the U.S. Department of Energy, which oversees operations at Fermilab, and Scotland Yard ultimately led investigators to the culprit behind this incredible breach in national security. In an unremarkable neighborhood in East London, investigators arrested Joseph McElroy, then sixteen years old, who had illicitly gained access to the seventeen Fermilab computers. Since attempted hacks occur against Fermilab frequently, its generally high levels of security and the sensitivity of the data it oversees makes it an attractive target, investigators may have expected to find a computer mastermind when they arrested McElroy. Many hackers of this apparent caliber attempt hacks into systems such as Fermilab for political reasons, for personal prestige in the hacking community, or even for criminal or terrorist purposes. What they discovered, however, in the person of McElroy was something entirely different.

Rather than an individual intent on hiding the nature of his crime, making some political statement, or even overthrowing the U.S. government, investigators found a young boy perfectly willing to admit his guilt and work with the police to explain what he had done and how he had done it. McElroy's purposes were not malign -- save for the simple reality that he did knowingly hack into a private, government no less, computer system. McElroy's purpose was simple: he wanted to appropriate the bandwidth storage capacity of an online computer network in order to store hundreds of gigabytes of pirates music, movies, and software that he and his friends could share (Leyden, 2004; Teen hacker, 2004). McElroy apparently had no intention of accessing sensitive information on the Fermilab networks -- or any information, for that matter. He only wanted to access the system so that he could partition off a section of it for his own illegal storage uses.

In fact, interestingly, McElroy told investigators that he had no idea the Fermilab system was an offshoot of the U.S. government, specifically the U.S. Department of Energy. He was under the mistaken impression that the system was owned and operated by a U.S. university, not the government. Apparently, McElroy and his friends had been targeted university and academic computer systems for some time, largely because he was under the impression that universities did not have to pay for Internet access (Goodwin, 2003). The aim was always to section off portions of an academic system and then use that storage space to share illegally obtained files between him and his friends, to whom he gain express access codes and passwords to the compromised system. The hacking job by McElroy was conducted with relative impunity because he did not expect a university computer network to have the resources to track him down and exact punitive judgment from him. His inability or unwillingness to more effectively cover his tracks meant that security specialists working for the U.S. government were able to track down McElroy's location within hours because of the access logs he had left behind in the system. This rapid response is to be expected from a government installation that handles such sensitive information, though once more it is worth point out that the quick response of the security team at Fermilab was only possible after two-weeks of breached security by a teenager from London (Van, 2003). McElroy spent two weeks with access to multiple computers on the Fermilab network. That he was interested in file sharing and did not have more malicious goals should be seen as a welcome bit of luck, but certainly no reason for the U.S. government's cybersecurity teams to pat themselves on the back for a job well done.

The attack, though perhaps infiltration would be a better description, of the Fermilab computer network took the computer network offline for three days while the extent of the hack was determined and the nature of the damage inflicted was evaluated. Total costs of repairs to the affected systems approached $40,000 and research data was inaccessible during the time that the system was shut down. Despite this seemingly high amount of damage, no actual permanent damage to the system was incurred, no data was lost, and McElroy seemed to gain nothing from the hack save two weeks of file sharing between he and his friends (Goodwin, 2003; Leyden, 2004). In all, this incident represents a surprisingly innocuous breach of U.S. national security via the Fermilab network, which contains extensive sensitive information about U.S. energy resources and the nation's nuclear arsenal. If this information were to fall into the hands of criminals or terrorists, it would represent a significant danger to the security of the nation. McElroy's breach of this system highlights the ease with which cyber-attacks can be made against sensitive computer networks in the U.S. government, and should be considered in more detail.

Given the ease with which McElroy accessed the Fermilab network and appropriated its computing resources for his own, albeit trivial ends, it is worth considering exactly what techniques that he used to accomplish this feat. Fermilab acts as central resource for thousands of scientists all over the world and boasts a significant computing capacity; this fact alone, regardless of its connections with the U.S. Department of Energy, makes Fermilab an attractive target for hackers. Security specialists who monitor the computer systems at Fermilab report that attacks on the system occur almost constantly, though they are hardly ever successful. Apparently, Fermilab is generally well protected and no more than one of the thousands of yearly attacks actually succeeds each year (Van, 2003). This fact makes McElroy's apparent success gaining access to the Fermilab network all the more impressive, not to mention the fact that it took two weeks for system administrators to notice a problem. In fact, the problem was only noticed when scheduled backups of the system that usually take one hour were taking eight or nine hours instead (Van, 2003). The unnerving implication is that is McElroy had been "quieter" about his presence he may have been able to squat in a corner of the Fermilab network indefinitely.