Case History: Hunting a Hacker

Friday, March 9, 2012 @ 11:03 AM gHale

By Richard Sale
Headlines screamed out the news: One of the world’s most-wanted hackers secretly became an FBI informant last year, providing evidence that led to charges Tuesday against five other suspected leaders of the Anonymous International Hacking Group.

The FBI called it a “major blow to Anonymous, which has attacked the websites of government agencies and companies around the world.” But U.S. sources said the use of moles has been a common practice of U.S. investigators since the mid-1990s.

Arrest Payback: Panda Hacked
FBI Flips Hacker; Busts 6 More
Guilty: Russian Admits Cyber Fraud
Nabbed: Cops Catch Serial Hacker
Hack Attack: Student Pleads Guilty

Government spooks are usually very quiet about what it takes to nab a hacker, but there is a documented case that may be old, but shows a cautionary tale on what investigators must endure – and understand – in an effort catch a bad guy. U.S. investigators provided the case that involved the top-secret Griffiss Air Force Base in Rome, NY, that had its lab hacked March 18, 1994. Military investigators knew instantly it was no ordinary job. At the time, the base was the site of extremely secret activities including research on artificial intelligence, radar guidance systems, and target detection and tracking systems. Sensing this was no ordinary case, investigators, including some from the Air Force Computer Crime Investigations Unit, jumped into action.

The first goal after such a break-in is to assess the importance of the compromised material. The feds soon discovered a sniffer – a program that attaches itself to a computer and records the first 128 keystrokes – had been placed in the base computer. The choice was to either shut the door on the hacker, or leave it half open and let investigators sort through the chains of cyber contacts to catch the offender in the act. The evidence had to be decisive.

The first tool investigators used was key stroke monitoring, a kind of wire tap. The investigators had to find the routes the hacker used to get in, and they began to trace the telephone routes the hacker had used to phone-in his commands to his computer. They soon discovered, that using a practice called “phreaking,” – using an international phone line for free – the hacker had used his skill to disguise any attempt to trace his entrance. Instead of accessing Rome Laboratory computers directly, he wove his way through various phone switches or Internet sites worldwide, including Mexico, Europe, South America, and Hawaii. Each time he would establish new links to Internet sites. The investigators found it bewildering. At one point the hacker seized control of the Rome Laboratory and copied and downloaded air tasking orders and other secret data.

He was also successful in attacking other government facilities, including NASA’s Jet Propulsion Lab in California and the Stoddard Space Center in Maryland, and defense contractors and private sector groups. The government knew the intrusions were coming through two Internet providers, based in Seattle, and the other, based in New York.

Informers Form Hacker Team
The feds had run up against a wall and this is where their moles came into play. This federal network of paid informers combed the Internet for security beaches or criminal intrusions. Many had once worked for an illegal group that had called itself “The Legion of Doom.” They had been very active in the 1980s and early 1990s and most were convicted of computer crimes. Some federal informers worked out of a sense of conscience while others were avoiding punishment or attempting to have a prison charge reduced. Investigators set them to work combing cyberspace like sharks scanning the deeps for a meal.

It was then the federal moles found the hacker stumbled — and it was a serious stumble. When he launched a probe from Griffiss to Vicksburg, MS. to the site of the Army Corps of Engineers, he inadvertently gave his code names, “DataStream” and “Kuji.”

Only a few days after the break in at Griffiss, a federal hacker on the case came across an email exchange with someone who called himself Datastream Cowboy. He said he was from England and was 16 years old. The federal hackers were skeptical – no 16-year-old could be such a wily, skilled intruder.

But Scotland Yard was alerted and on April 5 Datastream Cowboy was traced to North London to a suburb called Tottenham. The Air Force spooks had to connect the guy with the Rome Labs break in, and they began to monitor all the intruder’s contacts. Finally, they found the phone phreaking in the Griffiss intrusions came from Tottenham. But that wasn’t enough. They had to have more evidence. They waited.

Then came the big break. Datastream, exploiting the Griffiss intrusion, entered the home computer of an Air Force contractor on April 10. Using a sniffer program, the 16-year-old again used the Internet Scanning Software to get the contractor’s user name and log-on password. The hacker was hoping this software would provide information that would reveal computer weaknesses that might invite attack. This also meant the intruder might get hold of decryption tools that would crack passwords.

Beginning of End
A few days later, on April 12, Datasteam Cowboy broke into the Brookhaven National Labs part of the Department of Energy, based in New York. He stayed on line with the contractor’s system for two hours and now the Air Force spooks then focused on Kuji. Whenever Datastream had any difficulty obtaining access to a site, Kuji would log on and visit Internet providers and after 20 and 40 minutes, Datastream would again try to access a forbidden site. On the second try, Datastream usually got in. The feds suddenly knew then Datastream was being tutored by Kuji. They felt Kuji and Datastream were the same person.

Then on April 14 they found the 16-year-old jumping from a site in Latvia using, the same Seattle website Datastream had used before. Investigators then watched as Kuji entered the Goddard Space Flight Center in Maryland. The Air Force then moved quickly to close him down before he could transfer sensitive data.

It wasn’t over. Kuji then invaded the NATO Headquarters in Brussels, and Wright-Patterson Air Force Base using the Internet scanning software. The Hague then reported Datastream had entered the Supreme Headquarters Allied Powers Europe Technical Centre (SHAPE) using

Final Straw
When Datastream went through Griffiss to get into the computer system of the Korean Atomic Research Institute where he was able to download files and then dump them into the Griffiss labs system, the feds acted to avert a serious diplomatic incident. On May 12, in North London, when the police burst in, 16-year-old music student, Richard Pryce, fell to the floor, and, crying, curled up in a fetal position. He faced conspiracy charges, which were later dropped and he ended up paying a fine.

The hacker’s attack could easily have proved disastrous. The Air Force said that three years of work and $4 million had been invested in an air tasking resource project which they felt just missed being compromised. Investigators said afterward the hacker might have brought down the whole Rome Labs network if hadn’t been stopped. The Air Force was not certain whether the hacker had inflicted lasting damage by inserting sleeper devices in the system.

The cost of the investigation to U.S. taxpayers totaled over $500,000. This estimate included the time spent taking systems off the networks, verifying the systems integrity, installing security patches and restoring services and the cost of Air Force investigators.

Again, this is an 18-year-old case and you could make the argument that new technologies are in place that could have prevented an intrusion to begin with, but also remember this hacker was working with what he knew back then. The mindset and sophistication of hackers today has improved as great as any technology advance – or even more. So, could this hack attack happen today? What do you think?

Richard Sale was United Press International’s Intelligence Correspondent for 10 years and the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.

Leave a Reply

You must be logged in to post a comment.