Yearlong Hacker Attack Nets Sensitive U.S. Data

In what appears to be the most extensive cyber-attack ever aimed at the U.S. government, hackers apparently working from Russia have systematically broken into Defense Department computers for more than a year and plundered vast amounts of sensitive information, U.S. officials said Wednesday.

Besides penetrating the Pentagon’s defenses, the cyber-thieves have raided unclassified computer networks at Energy Department nuclear weapon and research labs, at the National Aeronautics and Space Administration and at numerous university research facilities and defense contractors, officials said. No top-secret classified data is known to have been stolen.

Despite an intense FBI-led inquiry code-named Moonlight Maze, investigators so far have failed to identify the hackers or to confirm whether espionage is the motive. But circumstantial evidence points heavily toward a Russia-based intelligence-gathering operation, officials said.

“The intrusions appear to have originated in Russia,” said Michael A. Vatis, director of the FBI’s National Infrastructure Protection Center, before a Senate subcommittee Wednesday in the first public confirmation of Moonlight Maze. He said that the intruders stole “unclassified but still sensitive information about essentially defense technical research matters.”

Other officials said that at least some of the attacks were traced to Internet servers located about 20 miles from Moscow. And the pattern of intrusions suggests that they involve someone working in an office: They occurred on weekdays between 8 a.m. and 5 p.m. Moscow time--but not on Russian holidays.

“There are very strong indications, and it’s our belief, that it’s coming from Russia and that it may be a sponsored [intelligence] activity,” a senior Energy Department official said in an interview. “This is not random. It’s organized.”

No classified computers are known to have been breached and no networks have been wrecked or damaged. But the government’s unclassified networks contain huge troves of confidential and sensitive data that are potentially valuable to foreign governments, terrorist groups and private companies, officials said.

Defense Department networks, for example, carry records about military logistics, planning, purchases, payrolls and personnel, as well as routine e-mail among Pentagon personnel.

“It’s the magnitude of the extraction that is alarming to us,” Arthur L. Money, assistant secretary of Defense for command, control, communications and intelligence, said in an interview. The hackers, he noted, “can get insight into sensitive operations” even from unclassified files.

Money said that the cyber-assault has so compromised the Pentagon’s main unclassified computer system, the Non-Classified Internet Protocol Router Network, that after this month, all NIPRNET communications will be routed through eight large electronic gateways that will be easier to monitor. Access now can be gained through thousands of “back-door” connection points around the globe, he said.

The Pentagon also has ordered $200 million in new encryption technology, as well as upgraded intrusion detection devices and computer “firewalls,” to prevent unauthorized use of NIPRNET. Even passwords will be encrypted.

At NASA, the Moonlight Maze attacks are “massive, really very massive,” and “very, very surreptitious,” NASA Inspector General Roberta Gross said in an interview.

“It’s difficult to tell what the damage is,” Gross said. “They weren’t shutting down systems. They were taking file listings, looking to see what’s in people’s directories.”

Gross said that the intruders also installed “parking tools that they can use to get back in later.” Such electronic “trapdoors” may be used to evade detection devices and to secretly regain access to a computer system.

Another computer security expert called Moonlight Maze “the longest-running and most widespread attack we’ve seen. It’s not been stopped. It’s not been [determined] who. And it’s not even clear why. But the consequences are potentially huge.”

Officials said that the intensity of the intrusions has declined since last spring and summer, when the U.S. Navy first documented the use of “low-bandwidth attacks” and the FBI recommended countermeasures to network administrators. It is not clear if more recent intrusions have come from the same source or if the original hackers have developed tactics to hide their tracks.

The Moonlight Maze case has sparked a fierce debate in intelligence circles. Because the attacks have followed such a distinct pattern, most experts discount the involvement of the usual suspects in hacking cases: disgruntled workers or thrill-seeking teenagers.

One U.S. intelligence veteran, now a Senate staff member, said that the Internet has created huge new opportunities, as well as frightening vulnerabilities, for spy agencies around the world.

“Think of it,” he said. “You can sit anywhere in the world now and run an espionage operation. You find the name of a scientist at a nuclear lab, for example. Get his credit ratings, his bank statement, his school records, his mortgage, his insurance, his hospital records. Probe for weaknesses.”

Despite the evidence assembled so far, the Russian government is not necessarily responsible for the Moonlight Maze attacks. A senior White House official said that the evidence so clearly points to Russia that it almost suggests a deliberate diversion.

“Some people think it’s meant to draw our attention away from other things,” the official said. “Some people think it’s designed to test our reaction.”

Other intelligence experts argued that skilled hackers hired by Russian organized crime elements may be probing for commercially valuable information. Some of the files apparently stolen include bidding documents and contracts. Some experts suggested that France, a longtime proponent of economic espionage, may be the ultimate customer. That theory also remains unproved, however.

“It merely demonstrates the challenge of cyberspace,” said Frank Cilluffo, deputy director of the global organized crime project at the Center for Strategic and International Studies, a Washington think tank. “Who’s behind the clickety-clack of a computer? It could be a block away and made to look like it’s coming from halfway around the world.”

It wouldn’t be the first time.

U.S. government computer networks and Web sites were bombarded with attacks that appeared to be coming from China after a U.S. warplane mistakenly bombed the Chinese Embassy in Belgrade during the Kosovo conflict last spring.

The White House official said that a subsequent inquiry found many of the attacks had originated in the United States but had been “bounced” off Chinese Internet servers.

Then there was Solar Sunrise, the code name for another FBI cyber-investigation.

In February 1998, as the Pentagon was increasing military forces around the Persian Gulf in response to rising tension with Iraq, the Air Force detected a wave of cyber-attacks at more than 90 bases and facilities.

Over the next few weeks, penetrations were detected at more than 500 government, military and private sector computer systems, according to the FBI.

“It was very difficult to ascertain where the attacks were coming from or why,” said Money, the assistant secretary of Defense. “Some passed through Europe, or through southwest Europe. Some days we had eight or nine [attacks] hopping from one server to the next around the world.”

Because of the timing, and because some of the attacks were traced to Internet servers around the Persian Gulf, the Clinton administration initially suspected that Iraq or its supporters had launched a cyber-war. After six weeks, however, an Israeli man code-named the analyzer and two 16-year-old high school students in Cloverdale, Calif., were identified as the culprits.

The Israeli National Police, working with U.S. authorities, arrested Ehud Tanebaum and charged him with illegally accessing U.S. and Israeli government computers. The two teens, who have not been publicly identified, were charged and tried in juvenile court, according to one of Money’s aides.

The FBI said there was no indication that the attacks were part of an organized military or state-sponsored campaign.

In an interview late Wednesday, Sen. Jon Kyl (R-Ariz.), who chaired the Senate subcommittee hearing, called the public unveiling of Moonlight Maze “extraordinarily significant”--but only part of a recent series of worrying incidents.

“Terrorism, espionage, deliberate attempts to disrupt . . . insider activities, hacking, all these activities are currently going on,” Kyl said. “It’s mind-boggling.”

A General Accounting Office report released at Wednesday’s hearing warned that much of the U.S. government remains highly vulnerable. The report said that recent audits showed 22 of the largest federal agencies “have serious computer security weaknesses.”