Authors: Fred Kaplan
Dark Territory (11 page)
The Justice Department task force was set to let the boys hang themselves a bit longer, but on February 25, John Hamre spoke to reporters at a press breakfast in Washington, D.C. Still frustrated with the military's inaction on the broader cyber threat, he outlined
the basic facts of Solar Sunrise (which, until then, had been kept secret), calling it
“the most organized and systematic attack” on American defense systems to date. And he disclosed that the suspects were two teenagers in Northern California.
At that point, the FBI had to scramble before the boys heard about Hamre's remarks and erased their files. Agents quickly obtained a search warrant and entered Stimpy's house. There he was, in his bedroom, sitting at a computer, surrounded by empty Pepsi cans and half-eaten cheeseburgers. The agents arrested the boys while carting off the computer and several floppy disks.
Stimpy and Makaveli (whose real names were kept under seal, since they were juveniles) were sentenced to three years probation and a hundred hours of community service; they were also barred from going on the Internet without adult supervision.
Israeli police arrested Tenenbaum and four of his apprentices, who were all twenty years old; he served eight months in prison, after which he started an information security firm, then moved to Canada, where he was arrested for hacking into financial sites and stealing credit card numbers.
At first, some U.S. officials were relieved that the Solar Sunrise hackers turned out to be just a couple of kidsâor, as one FBI official put it in a memo,
“not more than the typical hack du jour.” But most officials took that as the opposite of reassurance: if a couple of kids could pull this off, what could a well-funded, hostile nation-state do?
They were about to find out.
In early March, just as officials at NSA, DISA, and the Joint Staff's Information Operations Response Cell were closing their case files on Solar Sunrise and going back to their workaday tasks, word came through that someone had hacked into the computers at Wright-Patterson Air Force Base, in Ohio, and was pilfering
filesâunclassified but sensitiveâon cockpit design and microchip schematics.
Over the next few months, the hacker fanned out to other military facilities. No one knew his location (the hopping from one site to another was prodigious, swift, and global); his searches bore no clear pattern (except that they involved high-profile military R&D projects). The operation was a sequel of sorts to Solar Sunrise, though more elaborate and puzzling; so, just as night follows day, the task force called it Moonlight Maze.
Like the Solar Sunrise gang, this hacker would log in to the computers of university research labs to gain access to military sites and networks. But in other ways, he didn't seem at all like some mischievous kid on a cyber joyride. He didn't dart in and out of a site; he was persistent; he was looking for specific information, he seemed to know where to find it, and, if his first path was blocked, he stayed inside the network, prowling for other approaches.
He was also remarkably sophisticated, employing techniques that impressed even the NSA teams that were following his moves. He would log on to a site, using a stolen username and password; when he left, he would rewrite the log so that no one would know he'd ever been there. Finding the hacker was touch-and-go: the analysts would have to catch him in the act and track his moves in real time; even then, since he erased the logs when exiting, the on-screen evidence would vanish after the fact. It took a while to convince some higher-ups that there had
been
an intrusion.
A year earlier, the analysts probably wouldn't have detected a hacker at all, unless by pure chance. About a quarter of the servers in the Air Force were wired to the network security monitors in San Antonio; but most of the Army, Navy, and civilian leaders in the Pentagon would have had no way of knowing whether an intruder was present, much less what he was doing or where he was from.
That all changed with the one-two-three punch of Eligible Receiver, the Marsh Commission Report, and Solar Sunriseâwhich, over a mere eight-month span, from June 1997 to February 1998, convinced high-level officials, even those who had never thought about the issue, that America was vulnerable to a cyber attack and that this condition endangered not only society's critical infrastructure but also the military's ability to act in a crisis.
Right after Eligible Receiver, John Hamre called a meeting of senior civilians and officers in the Pentagon to ask what could be done. One solution, a fairly easy gap-filler, was to authorize an emergency purchase of devices known as intrusion-detection systems or IDSâa company in Atlanta, Georgia, called Internet Security Systems, could churn them out in quantityâand to install them on more than a hundred Defense Department computers. As a result, when Solar Sunrise and Moonlight Maze erupted, far more Pentagon personnel saw what was happening, far more quickly, than they otherwise would have.
Not everyone got the message. After Eligible Receiver, Matt Devost, who'd led the aggressor team in war games testing the vulnerability of American and allied command-control systems, was sent to Hawaii to clean up the networks at U.S. Pacific Command headquarters, which the NSA Red Team had devastated. Devost found gaps and sloppiness everywhere. In many cases, software vendors had long ago issued warnings about the vulnerabilities along with patches to fix them; the user had simply to push a button, but no one at PacCom had done even that. Devost lectured the admirals, all of them more than twice his age. This wasn't rocket science, he said. Just put someone in charge and order him to install the repairs. When Solar Sunrise erupted, Devost was working computer forensics at the Defense Information Systems Agency. He came across PacCom's logs and saw that they still hadn't fixed their problems: despite his strenuous efforts, nothing had changed. (He decided at
that point to quit government and do computer-attack simulations in the private sector.)
Even some of the officers who'd made the changes, and installed the devices, didn't understand what they were doing. Six months after the order went out to put intrusion-detection systems on Defense Department computers (still a few weeks before Solar Sunrise), Hamre called a meeting to see how the devices were working.
An Army one-star general furrowed his brow and grumbled that he didn't know about these IDS things: ever since he'd put them on his computers, they were getting attacked every day.
The others at the table suppressed their laughter. The general didn't realize that his computers might have been getting hacked every day for months, maybe years; all the IDS had done was to let him know it.
Early on in Solar Sunrise, Hamre called another meeting, imbued with the same sweat of urgency as the one he'd called in the wake of Eligible Receiver, and asked the officers around him the same question he'd asked before:
“Who's in charge?”
They all looked down at their shoes or their notepads, because, in fact, nothing had changed; no one was still in charge. The IDS devices may have been in place, but no one had issued protocols on what to do if the alarm went off or how to distinguish an annoying prank from a serious attack.
Finally, Brigadier General John “Soup” Campbell, the commander of the secret J-39 unit, who'd been the Joint Staff's point man on Eligible Receiver, raised his hand. “I'm in charge,” he said, though he had no idea what that might mean.
By the time Moonlight Maze started wreaking havoc, Campbell was drawing up plans for a new office called Joint Task Force-Computer Network Defenseâor JTF-CND. Orders to create the task force had been signed July 23, and it had commenced operations on December 10. It was staffed with just twenty-three officers, a mix
of computer specialists and conventional weapons operators who had to take a crash course on the subject, all crammed into a trailer behind DISA headquarters in the Virginia suburbs, not far from the Pentagon. It was an absurdly modest effort for an outfit that, according to its charter, would be
“responsible for coordinating and directing the defense of DoD computer systems and computer networks,” including “the coordination of DoD defensive actions” with other “government agencies and appropriate private organizations.”
Campbell's first steps would later seem elementary, but no one had ever taken themâfew had thought of themâon such a large scale. He set up a 24/7 watch center, established protocols for alerting higher officials and combatant commands of a cyber intrusion, andâthe very first stepâsent out a communiqué, on his own authority, advising all Defense Department officials to change their computer passwords.
By that point, Moonlight Maze had been going on for several months, and the intruder's intentions and origins were still puzzling. Most of the intrusions, the ones that were noticed, took place in the same nine-hour span. Just as they'd done during Solar Sunrise, some intelligence analysts in the Pentagon and the FBI looked at a time zone map, did the math, and guessed that the attacker must be in Moscow. Others, in the NSA, noted that Tehran was in a nearby time zone and made a case for Iran as the hacker's home.
Meanwhile, the FBI was probing all leads. The hacker had hopped through the computers of more than a dozen universitiesâthe University of Cincinnati, Harvard, Bryn Mawr, Duke, Pittsburgh, Auburn, among othersâand the bureau sent agents to interview students, tech workers, and faculty on each campus. A few intriguing suspects were tagged here and thereâan IT aide who answered questions nervously, a student with a Ukrainian boyfriendâbut none of the leads panned out. The colleges weren't the source of the hack; like the Lawrence Berkeley computer center in Cliff Stoll's
The
Cuckoo's Egg
, they were merely convenient transit points from one target site to another.
Finally, three breakthroughs occurred independently. One was inspired by Stoll's book. Stoll had captured the East German hacker a dozen years earlier by creating a “honey pot”âa set of phony files, replete with directories, documents, usernames, and passwords (all of Stoll's invention), seemingly related to the American missile-defense program, a subject of particular interest to the hacker. Once lured to the pot, he stayed in place long enough for the authorities to trace his movements and track him down. The interagency intelligence group in charge of solving Moonlight Mazeâmainly NSA analysts working under CIA auspicesâdecided to do what Stoll had done: they created a honey pot, in this case a phony website of an American stealth aircraft program, which they figured might lure their hacker. (Everyone in the cyber field was enamored of
The Cuckoo's Egg
; when Stoll, a long-haired Berkeley hippie, came to give a speech at NSA headquarters not long after his book was published, he received a hero's welcome.) Just as in Stoll's scheme, the hacker took the bait.
But with their special access to exotic tools, the NSA analysts took Stoll's trick a step further. When the hacker left the site, he unwittingly took with him a digital beaconâa few lines of code, attached to the data packet, which sent back a signal that the analysts could follow as it piggybacked through cyberspace. The beacon was an experimental prototype; sometimes it worked, sometimes it didn't. But it worked well enough for them to trace the hacker to an IP address of the Russian Academy of Sciences, in Moscow.
Some intelligence analysts, including at NSA, remained skeptical, arguing that the Moscow address was just another hopping point along the way to the hacker's real home in Iran.
Then came the second breakthrough. While Soup Campbell was setting up Joint Task Force-Computer Network Defense, he hired a
naval intelligence officer named Robert Gourley to be its intel chief. Gourley was a hard-driving analyst with a background in computer science. In the waning days of the Cold War, he'd worked in a unit that fused intelligence and operations to track, and aggressively chase, Russian submarines. He'd learned of this fusion approach, five years earlier, at an officers' midcareer course taught by Bill Studeman and Rich Haverâthe intelligence veterans who, a decade earlier, under the tutelage of Admiral Bobby Ray Inman, had pushed for the adoption of counter command-control warfare.
Shortly before joining Campbell's task force, Gourley attended another conference, this one lasting just a day, on Navy operations and intelligence. Studeman and Haver happened to be among the lecturers. Gourley went up to them afterward to renew his acquaintance. A few weeks later, ensconced in his task force office, he phoned Haver on a secure line, laid out the Moonlight Maze problem, as well as the debate over the intruder's identity, and asked if he had advice on how to resolve it.
Haver recalled that, during the Cold War, the KGB or GRU, the Soviet military's spy agency, often dispatched scientists to international conferences to collect papers on topics of interest. So Gourley assembled a small team of analysts from the various intelligence agencies and scoured the logs of Moonlight Maze to see what topics interested this hacker. The swath, it turned out, covered a bizarrely wide range: not just aeronautics (the topic of his first search, at Wright-Patterson) but also hydrodynamics, oceanography, the altimeter data of geophysical satellites, and a lot of technology related to surveillance imagery. Gourley's team then scanned databanks of recent scientific conferences. The matchup was at least intriguing: Russian scientists had attended conferences on every topic that attracted the hacker.
That, plus the evidence from the honey pot and the absence of signs pointing to Iran or any other Middle Eastern source, led Gourley
to conclude that the culprit was Russia. It was a striking charge: a
nation-state
was hacking American military networksâand not just any nation-state, but America's former enemy and now, supposedly, postâCold War partner.
Gourley brought his finding to Campbell, who was shocked. “Are you saying that we're under attack?” he asked. “Should we declare war?”