[ISN] Pentagon Computers Under Assault

From: William Knowles (wkat_private)
Date: Sun May 06 2001 - 23:00:49 PDT

  • Next message: InfoSec News: "[ISN] Is it up, or is it down?"

    By Vernon Loeb
    Washington Post Staff Writer
    Monday, May 7, 2001; Page A02
    A series of sophisticated attempts to break into Pentagon computers
    has continued for more than three years, and an extensive
    investigation has produced "disturbingly few clues" about who is
    responsible, according to a member of the National Security Agency's
    advisory board.
    The NSA consultant, James Adams, says U.S. diplomats lodged a formal
    protest with the Russian government last year after investigators
    determined that the cyber attacks, which they code-named "Moonlight
    Maze," appear to have originated from seven Russian Internet
    addresses. But Russian officials replied that the telephone numbers
    associated with the sites were inactive and denied any prior knowledge
    of the attacks, according to Adams.
    "Meanwhile, the assault has continued unabated," Adams wrote in this
    month's Foreign Affairs magazine, published by the Council on Foreign
    Relations. "The hackers have built 'back doors' through which they can
    re-enter the infiltrated systems at will and steal further data; they
    have also left behind tools that reroute specific network traffic
    through Russia."
    Adams described Moonlight Maze as "the most persistent and serious
    computer attack against the United States to date." He also disclosed
    that it has triggered "the largest cyber-intelligence investigation
    But U.S. investigators, he wrote, still do not know "who is behind the
    attacks, what additional information has been taken and why, to what
    extent the public and private sectors have been penetrated, and what
    else has been left behind that could still damage the vulnerable
    Both the FBI and the U.S. Space Command, which has primary
    responsibility for defending Pentagon computers, declined comment. But
    one source close to the case confirmed that the attacks are continuing
    and said U.S. investigators know far more about them than Adams
    A State Department official also confirmed that a dmarche was issued
    to the Russians over the apparent attempts at computer espionage.
    U.S. defense and intelligence officials have expressed increasing
    concern about the possibility that foreign countries or terrorists
    might use cyber-attacks to counter America's overwhelming military
    Ronald L. Dick, director of the FBI's National Infrastructure
    Protection Center, told Congress last month that the military services
    recorded more than 1,300 serious cyber-attacks in 1999 and 2000. The
    FBI, he said, has 1,219 pending cases involving cyber-crime, including
    102 "computer intrusions into government systems."
    Many cyber-attacks are mainly nuisances. They involve defacing Web
    pages or trying to overwhelm servers, which can be costly but do not
    threaten government secrets.
    Moonlight Maze is different. It was first uncovered in March 1998,
    when network security specialists at the Defense Information Systems
    Agency discovered that attackers had entered unclassified Pentagon
    networks through a technique known as "tunneling," in which malicious
    codes, or instructions, are embedded within programs for routine
    computer operations. Because the attackers' commands are disguised in
    this fashion, they are difficult for systems administrators to detect.
    A General Accounting Office report on the Pentagon's computer
    security, issued in March, described Moonlight Maze as "a series of
    recurring, 'stealth-like' attacks . . . that federal incident-response
    officials have attributed to foreign entities and are still
    A year and a half ago, in the government's first official comment on
    the case, the FBI's top computer security official, Michael A. Vatis,
    told Congress that attacks appearing to originate in Russia had stolen
    "unclassified but still sensitive information about essential defense
    technical research matters."
    Officials at the Pentagon and NSA have called the intrusions "massive"
    and said they caused significant disruptions on important but
    unclassified government networks, including the Pentagon's
    Non-Classified Internet Protocol Router Network, or NIPRNET.
    Dion Stempfley, a former Pentagon computer security analyst who helped
    detect Moonlight Maze, said Friday that he was not surprised that the
    attacks were continuing, given the sophistication of the attackers'
    tunneling techniques.
    Now a principal security engineer at Riptech Inc., a computer security
    firm, Stempfley said U.S. law enforcement officials initially decided
    to track the attacks only "passively."
    Part of their caution stemmed from legal concerns about whether
    "hack-backs" that might have crippled the intruders' capabilities
    could have been construed as an act of war, if the intruders were
    state-sponsored, he said.
    Stempfley said the sophistication and persistence of the Moonlight
    Maze attacks are not necessarily signs of state sponsorship, because
    many hackers demonstrate both skill and stubbornness. But the
    continuation of the attacks, Stempfley said, could be an indication
    that Moonlight Maze is "state allowed," meaning that Russian
    authorities are permitting, if not directing, the attacks.
    Fred Cohen, a computer security expert at Sandia National Laboratories
    in Albuquerque, said he was not surprised that the attacks have
    continued. But there is nothing so sophisticated about Moonlight Maze
    that federal security officials cannot protect their networks, Cohen
    "If somebody is into a system and you want to stop them, you can stop
    them," he said.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is hosted by SecurityFocus.com
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Mon May 07 2001 - 00:17:02 PDT