Pentagon Computers Under Assault

Russians Suspected, but Few Clues Seen to Ongoing Attacks' Source

By Vernon Loeb
Washington Post Staff Writer
Monday, May 7, 2001; Page A02

A series of sophisticated attempts to break into Pentagon computers has continued for more than three years, and an extensive investigation has produced "disturbingly few clues" about who is responsible, according to a member of the National Security Agency's advisory board.

The NSA consultant, James Adams, says U.S. diplomats lodged a formal protest with the Russian government last year after investigators determined that the cyber attacks, which they code-named "Moonlight Maze," appear to have originated from seven Russian Internet addresses. But Russian officials replied that the telephone numbers associated with the sites were inactive and denied any prior knowledge of the attacks, according to Adams.

"Meanwhile, the assault has continued unabated," Adams wrote in this month's Foreign Affairs magazine, published by the Council on Foreign Relations. "The hackers have built 'back doors' through which they can re-enter the infiltrated systems at will and steal further data; they have also left behind tools that reroute specific network traffic through Russia."

Adams described Moonlight Maze as "the most persistent and serious computer attack against the United States to date." He also disclosed that it has triggered "the largest cyber-intelligence investigation ever."

But U.S. investigators, he wrote, still do not know "who is behind the attacks, what additional information has been taken and why, to what extent the public and private sectors have been penetrated, and what else has been left behind that could still damage the vulnerable networks."

Both the FBI and the U.S. Space Command, which has primary responsibility for defending Pentagon computers, declined comment. But one source close to the case confirmed that the attacks are continuing and said U.S. investigators know far more about them than Adams indicated.

A State Department official also confirmed that a démarche was issued to the Russians over the apparent attempts at computer espionage.

U.S. defense and intelligence officials have expressed increasing concern about the possibility that foreign countries or terrorists might use cyber-attacks to counter America's overwhelming military superiority.

Ronald L. Dick, director of the FBI's National Infrastructure Protection Center, told Congress last month that the military services recorded more than 1,300 serious cyber-attacks in 1999 and 2000. The FBI, he said, has 1,219 pending cases involving cyber-crime, including 102 "computer intrusions into government systems."

Many cyber-attacks are mainly nuisances. They involve defacing Web pages or trying to overwhelm servers, which can be costly but do not threaten government secrets.

Moonlight Maze is different. It was first uncovered in March 1998, when network security specialists at the Defense Information Systems Agency discovered that attackers had entered unclassified Pentagon networks through a technique known as "tunneling," in which malicious codes, or instructions, are embedded within programs for routine computer operations. Because the attackers' commands are disguised in this fashion, they are difficult for systems administrators to detect.

A General Accounting Office report on the Pentagon's computer security, issued in March, described Moonlight Maze as "a series of recurring, 'stealth-like' attacks . . . that federal incident-response officials have attributed to foreign entities and are still investigating."

A year and a half ago, in the government's first official comment on the case, the FBI's top computer security official, Michael A. Vatis, told Congress that attacks appearing to originate in Russia had stolen "unclassified but still sensitive information about essential defense technical research matters."

Officials at the Pentagon and NSA have called the intrusions "massive" and said they caused significant disruptions on important but unclassified government networks, including the Pentagon's Non-Classified Internet Protocol Router Network, or NIPRNET.

Dion Stempfley, a former Pentagon computer security analyst who helped detect Moonlight Maze, said Friday that he was not surprised that the attacks were continuing, given the sophistication of the attackers' tunneling techniques.

Now a principal security engineer at Riptech Inc., a computer security firm, Stempfley said U.S. law enforcement officials initially decided to track the attacks only "passively."

Part of their caution stemmed from legal concerns about whether "hack-backs" that might have crippled the intruders' capabilities could have been construed as an act of war, if the intruders were state-sponsored, he said.

Stempfley said the sophistication and persistence of the Moonlight Maze attacks are not necessarily signs of state sponsorship, because many hackers demonstrate both skill and stubbornness. But the continuation of the attacks, Stempfley said, could be an indication that Moonlight Maze is "state allowed," meaning that Russian authorities are permitting, if not directing, the attacks.

Fred Cohen, a computer security expert at Sandia National Laboratories in Albuquerque, said he was not surprised that the attacks have continued. But there is nothing so sophisticated about Moonlight Maze that federal security officials cannot protect their networks, Cohen said.

"If somebody is into a system and you want to stop them, you can stop them," he said.

© 2001 The Washington Post Company

-- Anonymous, May 06, 2001