OCR of the Document

View the Document >>

Federal Bureau of Investigation, Memo to National Security RE: Moonlight Maze, February 10, 1999

u'f EH33Ewifii lftuaI-Ifsatafaim 80 H 225 an W9 pi 01 26 1998 i 1 FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 02 10 1999 To National Security Attn Room 11887 ncinnati Attn SAI Sq 4 From Philadelphia b6 Ft Washington RA b c Contact 8 Approved By Drafted By K0 Case ID Pending Titled t s MOONLIGHT MAZE Synopsis wya I I b3 I land are being forwarded to Cincinnati as evidence mm De Fro De Referenceuuygg Serial 45 --EW Ea Telephone call fro Engineering Research Facility Quantico b3 Va to 8 Philadelphia Division on 2 4 99 advisinq that b6 b c Package Cincinnati Division is I Details myh I 1 Itrap b3 and tracd I Lead to the Philadelohia Division Ft Washinqton II Eima ig bar 298- if-@563 9W To National Security From Philadelphia Re m 04 02 10 1999 $33 They are being forwarded via PederaT vnveqs to FBI Cincinnati Division Attention 4 Rooh h7C 9000 550 Main St Cincinnati Ohio 45273 8501 SAI can be reached ad I 06 l IIEECLAEEIFIEIE Sit FD-302 Rev 10 6-95 -1- FEDERAL BUREAU OF INVESTIGATION Date of transcription I Ifor Network and Systems Academic Computing Center Haverford College 370 Lancaster ford PA 19041-1392 telephone I fax -mai1 provided copies of a letter to cA Ia security log diary and log in lists Also provided was a data cartridge containing the same information we Investigation on 1 13 99 at Haverford PA File 288-CI-68562 77 Date dictated by SA This document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency 36 b7C J - u'f 1 85 5 5 m39m28i2 01 26 1998 same FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE pate 01 14 1999 Cincinnati Attn SA Squad 4 From Philadelphia NSRA be Cont ct SA b7C Approv ted By Case ID #dunfsi 288-CI-68562 Pending Title mm g MOONLIGHT MAZE Synopsis m CS Forward to Cincinnati information provided by Haverford College turisi Der1 G-3 Sify Enclosed for Cincinnati are the ori inal and b6 one copy of an FD-302 of interview ofI and a b7c letter memo computer logs and a computer data cartridge provided by Nocifore I I Investi ation continuing at b c Ipen register trap and trace 90 mo 9 65 94 7 - a 4 mania INDEXED my FD-302 Rev 10-6-95 11 33 1106 137$ EEFEIEI If earn wl w23l2 er -1- FEDERAL BUREAU OF INVESTIGATION Date of transcription 12 6 9 8 I I Academic Planning Office in Resources Management and Interim Direction of Computing and bf Information Services 826 Cathedral of Learning 4200 Fifth b C PA 15260 telephone number was contacted at his office Iwas advised of the identity of the investigating Agent and the nature of the inquiry was adv1sed that when the requested information has been compiled he should contact the investigating Agent to arrange for receipt of 4 1 - Jun OTHER Sealed Court Documents' Investigation on 12 15 l998_ at Pittsburgh PA Fi1e# 288 c1-68552 Datedictated 12 16 1998 be SAI This document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency 2- 9 is 9 54 2 8 b3 6 EXEC Sealed Court Documents ALE annexu zs siege us ie-eeie es DEEQEUC a ijataljsebfeio FD-302 Rev 10-6-95 1 193 FEDERAL BUREAU OF INVESTIGATION b6 b7C OTHER Sealed Court Documents Date of transcription 0 2 6 9 9 I Iadvised that the data was compiled by rof the University of Pittsb uting and bg Information Services Center PA can be 33 contacted at his office at Investigation on 2 ll 9 9 at Hamarvi 1 le PA Fi1e# Datedictated 02 12 99 by SA b 63 This document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency 2% Ch eESeew i Rev 10-6-95 0n02 1l 99 my 2 b6 b7C was advised to maintain a copy of this data and that he may be contacted for additional assistance in the furtherance of this investigation A hard copy printout of this information was not furnished at this time due to its voluminous nature b3 b6 b7C Sealed Court Documents 01 26 1998 BEELASSIFIEB BY Hi FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 02 22 1999 To National Security Attn NI Room 11887 SSE v incinnati From Pittsburgh Squad 5 Contact SA II Approved By Drafted By Case ID # mrlsii 288 01 68562 Title wy 8 MOONLIGHT MAZE Synopsis ni g Reporting of lead coverage at University of Pittsburgh Pittsburgh PA Wl Deriv -3 De 1fy On Reference mw$sj Serial 40 Enclosures n x Enclosed University of Pittsburgh at Harmarville PA on 2 11 99 b6 b C m1 5 6 Furthermore enclosed is an for investigation on 2 11 99 at Harmarville PA reflecting interview of MT 2% m- eg eem s z b3 b6 b7C OTHER see To NSD CI From Pittsburgh Re M 288- 68562 02 22 1999 Sealed I TTn'ixrp'r qif'v n'F D'ii'tq'hn'r r rh I I Court Documents The above described enclosures represent investigation conducted Pittsburgh in connection with captioned matter at the University of Pittsburgh is the main point of contact and he has been advised to retain a copy of the information provided for possible future reference in the course of this investigation Pittsburgh considers this lead covered 00 01 26 1998 ALL FEE 35 SHELQSSIFIEE FEDERAL BUREAU OF INVESTIGATION Precedence IMMEDIATE To Moscow Attn Criminal Investigative Date 03 05 1999 Legat IIRU 1 Baltimore Cincinnati National Security 11719 Contact UC From Approved By Drafted By Case ID U Pending U Pending U Title U Moonlight Maze Synopsis I Deriv ssify On Administrative U RE fax from the National Infrastructure Protection Center NIPC to Legat Moscow on 3 5 1999 teletf es from the NIPC dated 3 5 99 and telcall from Acting UC on 3 5 99 NIPC to ALAT Details I The FBI and other United States Federal Investigators are currently investigating several intrusions into government computer systems which appear to be coming SECRE OFORN dff favor Jj lE BY SE ib ib7C b7D ti SEC NOFORN To Moscow From National Security Re U 03 05 1999 b7E l Referral Consult U For information of Legat Unit Chief Computer Investiqation Unit NIPC will contac ing one of the following on Saturday March 6 1999 Moscow time and advise them of the same information provided above I136 b7c TT T hm hnvm liqi-n arm Tiara-H Thev b D arel I U It is requested that the Legat advise the NIPC after contact has been made the name of the person contacted and the reaction to the information provided 136 U The NIPC has coordinated this matter with b c Special Agent Baltimore Division SECRE OFORN To Moscow From National Security Re U 03 05 1999 SECRE OFORN Set Lead 1 BALIIMQBE AT BALTIMORE MARYLAND U For information only Set Lead 2 CINCINNATI AT CINCINNATI OHIO U For information only Set Lead 3 CRIMINAL INVESTIGATIVE AT WASHINGTON DC U For information only Set Lead 4 90 SECRE OFORN his CQETAINEB EEFEIIJ Ifi EATE U l w23 2 Ev 1213 302 Rev 10-5-95 i 'd -1- FEDERAL BUREAU OF INVESTIGATION Date of transcription 3 9 9 Atl onl I Den reqigterl I b3 Investigation Haverford PA File Date dictated 2 25 99 13 337 SA This document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency LT - was SEFEEB 3 3 i 01 26 1998 MR 1 19999CL Precedence ROUTINE Date 03 02 1999 To y incinnati Attn l I Squad 4 Evidence Control Center From Philadelphia Newtow Squa e RA Conta SA Approved b6 ib7C Drafted By TWQCICJ IUUW Egr 301937 -7ch Case ID 288-CI-68562 WM Title un s MOONLIGHT MAZE pen registerl Pending Derl 1fy wa-E j G-3 Package copy uytsj I 1 I the pen reglster g hClosures vkgj I registerl - Uix pen 00 567' 635 o f of ff 1103 A tam @153 me 01 26 1998 1 21999 9 FEDERAL BUREAU OF INVESTIGATION Precedence PRIORITY Date 02 08 1999 To incinnati Attn SA National Security Attn SSA From San Antonio Squad ll Austin Resident Aqencv Contact a Approved Drafted By Case ID Pending -3r Titleztm C991 MOONLIGHT MAZE Synopsis U 5% Lead covered FILM Deri Fr 3-3 Dec ify - 1 I Reference tUh Cs Serial 40 133 OTHER Sealed Court Documents Details Uig For information of Cincinnati 00 ze ff aZ f7 BY 88328588388858885818 881 01 26 1998 FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 03 17 1999 To Cincinnati Attn 53D 4 I National Security Attn Poem 1 887 SSA From Philadelphia b6 Squad 9 me Contact Approved By Drafted By Case ID 288 CI 68562 Pendingk gp Title WIC8 MOONLIGHT MAZE Synopsis k Lead 3 to Philadelphia covered im 9 Der' G-3 b3 Sify 1 Reference Serial 45 I I Onl I trap and tracd Lead 3 to Philadelphia Division covered 99 j z Giff 48 ng ff ibS ib ib7C 'b7E Sealed Court Documents DEELASSIFIED If 6a 3 3 wi3jm3 lz 01 26 1998 3 I999 FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 03 17 1999 To Cincinnati Attn SAI I Squad 4 vFrom Mobile Squad 4 0p21ika pa iba Contact SA b o Approved By Drafted By Case ID MOONLIGHT MAZE Synopsis WVC3i To report investigation conducted at Auburn University by Mobile Division Opelika RA Deri -3 Sify Reference Serial 40 Package CopyzmIiS Being forwarded under se arat cover is one 1 Sony 8mm data cartridge initialed by SA and dated 3 15 99 Detailsim zgj I IUI that he was unable to identify the connections from Wright Patterson Air Force Base WPAFB Dayton Ohio as he was unable to identif oorreenondino the Internet Protocol Address for WPAFB I I re To Cincinnati From Mobile 03 17 1999 U In View of the fact that additional investigation may be required Mobile Division Opelika RA does not consider this lead covered 90 12 31 1995 ALL FBI CDHTAEMED ES BY FEDERAL BUREAU OF INVESTIGATION Precedence PRIORITY Date 03 31 1999 To Moscow Attn A TI I Criminal Investigative Attn DAD San Francisco Attn LS Baltimore Attn SA Cincinnati Attn SA From National Security Rm 11719 I be Contact b c l Approved By Drafted By Case ID 288A BA 95348 Jb Pending 288A HQ 1266830 3kPending Title MOONLIGHT MAZE Synopsis To provide Legat Moscow with an update regarding the deployment of the Moonlight Maze investigative team and to request that Legat Moscow assist in obtaining reservations for the team's lodging while in Moscow Administrative Reference telcal between ALATI Iand iic March 1999 and telcal between Mocsow Legat and IRB SSAI Ion March 31 1999 Reference Electronic Communication dated March 16 1999 to the National Security Division regarding the Moonlight Maze Operational Plan ne aiTq-I I be 331 To Moscow From National Security Re 03 31 1999 Airline travel arrangements have been completed with a scheduled departure on April 2 1999 at 05 10 p m Eastern time from Dulles VA on Delta flight #2772 connecting in Zurich Switzerland on Delta flight #2850 which arrives in Moscow on April 3 1999 at 3 05 p m If investigative coordination with the MVD has been completed the team expects to depart Moscow the morning of April 10 1999 with an arrival at Dulles VA at 3 30 p m Eastern time that same date ReferraiXConsult Concurrance regarding the investigative teams travel have been obtained from the FBI International Relations Branch FBI Legat Moscow and U S Ambassador The Moonlight Maze Coordination Team will maintain a schedule in the SIOC beginning at midnight on April 4 1999 EST until the deployment team returns The anticipated hours of operation will be from 11 00 p m until 6 00 p m EST it To Moscow From Re Set Lead 1 National Security 03 31 1999 00 01 26 1998 A All it EEICLJESSIFIEE DETE BY FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 04 01 1999 To Criminal Investigative Attn SSA From NSD 11719 Contact Approved By Drafted By Case ID Pending Pending Pending Title Synopsis To request identification of appropriate SIOC operations facilities for Moonlight Maze Coordination Group Details The Moonlight Maze Coordination Group MMCG has been verbally advised that the SIOC facility which it currently be required for NATO operations on or about April 15 1999 The MMCG is deploying personnel to Moscow Russia on April 2 1999 in support of the above captioned investigation In order to maintain proper support for the deployed personnel and to assure continuity of operations the MMCG requests that SIOC staff identify which SI 0 rations room the MMCG will be assigned after vacatingi Rapid identification of this facility is requested as cons1derable logistical challenges must be addressed including movement of substantial quantities of computer hardware and communications gear and dissemination of new telephone and fax numbers The MMCG anticipates occupying the newly assigned facility until about May 15 1999 90 Orr w- ff xv 7 -- ALL IMFenHiTron cunTiInEe HERE IN is UMCLASSIFIEI FDsozaav uLesa BAKE BY EDBEAEUCXhanfsabfaio -1- Date of transcription 8 4 9 8 On July 29 1998 at approximately 10 30 FA received a call from at South Carolina Research Authority 5300 International Blvd North Charle ton South Ca olina telephone number pager number This information is in relation to what is be Foreign 9 Hackers Operating out of Russia informed FAI that he believes the Russians entered though South Carolina Research Authority SCRA computer system and then proceeded through the Wright Air force Base computer system After copying a file onto the South Carolina Research Authority Computer Networking Company computer the Russians then copied the file over to their system Before the Russians copied the file over to their system one of the SRA employees copied these files and saved the work for future reference The address used by the Russians was 25dot m9 3dot dial up dot Orc dot ru The address used to get in the Wright fitterson Air force Basq stated there was an extensive amount of files transfer He felt sure his employee copied all the information before the files left the system This was attempted once before with out a breakthrough Investigation on 7 2 9 9 8 at CHARLESTON SC telephonically 'Fiie# 288 01 68562 Datedictated 08 4 98 MA This document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency ON 67' ALL HEREIN 13 03-10-3833 ET 5033nlg UCfba n'aabfaiD APR 1 t Ivy-51300 A 01 26 1998 BUREAU OF INVESTIGATION Precedence ROUTINE Date 03 24 1999 To Cincinnati From Columbia Charleston RA Squad 6 Contact Approved By bic Drafted By Case ID Title AIR FORCE INSTITUTE OF TECHNOLOGY MOONLIGHT MAZE rSynopsis To provide information to receiving office Details The followinc information was telephonically provided b6 to writer by South Carolina b7c Research Autnority As there is no active investigation in Columbia Division information is provided to Cincinnati for whatever action Cincinnati may deem appropriate i136 1137C aw- r322 awe-1M ME 4 a ALL canTiInEn HERE is UZBl gg Br anisijucrbawxsahjaiu FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 04 07 1999 To London Attn Legat Ottawa Attn Legat National Security Attn NIPC Attn From Baltimore Squad 136 Contact SAI b7c Approved By Drafted By Case ID Pending Pending 288A-HQ-1266830 Pending Title ARMY RESEARCH LAB INTRUSIONS INFO Synopsis To provide an update and status of the deployment of representatives of the Moonlight Maze Coordination Group MMCG to Moscow Russia Details The primary objective of the MMCG investigative operations plan is to provide attribution for prosecution of subject s in captioned investigation and to obtain investigative assistancel Personnel b D from the MMCG will travel to Moscowl I b7E o the identification and prosecution of the subject s in captioned matter Durind the week of 9 21 26 1999 the MMCG hostedl I iin Washington D C The MMCG presented five 5 'ntrusion incidents related to intrusion to bf I and formally requeste tance of in b c support of this investigation departed 999 b7D and pledged the aggressive investigative support of in this matter The MMCG team that will deploy to Moscow is comprised of two Special Agents and one language specialist from the one 59 Oar 4 7 i7 vi To London Fro Baltimore I Re 04 07 1999 Special Agent and one technical specialist from the Department of Defense and one Special Agent from the National Aeronautics and Space Administration NASA This team departed from Dulles International Airport on 4 2 1999 and arrived in Moscow on 4 3 1999 The MMCG will be staffed sixteen hours per day 2300 1800 EST every day while the team is deployed to Moscow The deployed team will communicate with the MMCG watch section to provid update of developments and b7D coordination with It is anticipated that this team will return to Washing on D C on or about April 10 1999 To London From Baltimore Re 04 07 1999 Set Lead 1 ALL RECEIVING OFFICES For information only 09 karars'sahr aic UN Ethyl 2312 APR 1 9 1999 FEDERAL BUREAU OF INVESTIGATION 12 31 1995 Precedence ROUTINE Date 04 14 1999 To incinnati Attn gA Squad 4 From Indianapolis SBRA 99 db Xi Contact SAI 37C Appro ed By Drafted By lg wwk01 ec Case ID Pending n MOONLIGHT MAZE Synopsis m5 SE REIi The purpose of this EC is to provide the results of requested lead investigation at South Bend Indiana ssify 0n 288-CI-68562 Serial 4o Enclosures H Z EEREEI l Enclosed for Cincinnati is one FD-302 documenting the interview o I Indiana University at South Bend at South Bend I lana on 12 16 1998 at which time he provided one 8mm data cartridge tape entered into evidence and sent under separate cover sent to Cincinnati the interview of Indiana University at South Bend South Bend Indiana on 12 10 1998 ink 3 One insert with copy documenting certain investigation conducted at South Bend Indiana on 12 09 1998 b6 1137C Pursuant to referenced serial the above documented investigation was conducted at South Bend Indiana to include obtaining certain requested evidence Said evidence was forwarded under separate cover previously to Cincinnati Lead covered at South Bend Indiana 09 me do fj az ab W Rev 10-6 95 E33 E36 b7C Sealed Court Documenta -1- ALL BEFEEJ 1 53 DATE FEDERAL BUREAU OF INVESTIGATION Date of transcription 0 l3 9 9 Indiana University at South Bend IUSB North Side Building Room 0069 1700 Mishawaka Avenue South Bend Indiana 46634 telephone number was contacted at T-TP was advi P 9d 19 1-0 the idsnt1t'v 31- the interviewinq Adent 12 16 98 South Bend Indiana File# by SA J Ol3wwk06 302 Date dictated 12 6 9 8 This document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency ALL IS U l i RID-302 REV 10-6-95 BATE U l 3012 5933'4f35fb -1- FEDERAL BUREAU OF INVESTIGATION Date of transcription 0 3 9 9 Indiana University at South Bend Office of Information Technologies b6 North Side Hall 1700 Mishawaka Avenue South Bend Indiana b c 46634 7111 telephone number Iprovided by facsimile transmission an initial response to the court order delivered to him on December 9 1998 One copy of said facsimile transmission is attached hereto Investigation on 12 10 98 at South Bend Indiana telephonically File# 288-CI-68562 Datedictated 12 10 98 1106 b C by SA ' 013wwk11 302 is document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency a 2 237 4846 R01 ZEJFQEMTIBEE TEFEIH Emits ml m38i3 FACSIMILE To Special Agent Of Federal Bureau of Investigation Fax 219-233 4574 Date December 10 1998 From I Of Indiana University South Bend Fax Phone Total of pages including cover 3 IUSB CJIT 219 237 4846- UNIVERSITY boon-1 BEND December 10 I998 Omar or TECHNOLOGIES use Northsidc llall l700 Avenue Post Office Box 7111 South Bend Indiana than I 1 219 357 4360 For 2H 337 4846 Special Agent Federal Bureau of investigation 100 E Wayne Street Suite 415 SouthB fest VOICE FAX 2l9 233-4574 Dear It was a pleasure to meet you yesterday when you dropped off the Application for ensuing Court Order for the information indicated within the Appendix of the Order indicated to you i would expect that this request for information will require no Seas Warrant at this time until you deem it necessary to go down to the level of the comet individual user les I regard all System les you have requested and that which gather relevant to your needs as to be available with no dispute I will detail some complications relative to timeliness of production on some of that which you seek in can expect Our full cooPeration This will be cleared with Indiana University Legal Counsel as well We can readily supply that information sought in Appendix A-- items 1 4 and the SS employees or the Student ID number the latter is generally the SSN This is becaus items comprise the relevant information we collect and retain relative to establishme userid for our computer accounts on our locally administered host oitl iusb edu Th 2 3 and the rest of 5 are part of employee student databases which are of cially kep housed in Bloomington Indiana University and are not readily available to us in St Bend since we are a centrally administered University system We do retain some to employee information regarding that sought under 2 3 and 5 but that can not be rear practically joined with our account information within your three day timeline stated Court Order It may be an overkill of information gathering at this stage for us given the nature of information directly available to us I would offer that if the investigation identifies problems out of the approximately I 1 000 accounts which may be represented in the you will receive that it might be better if we supply you the additional information regarding speci c targets Once speci c targets have been identi ed from a prelimin investigation a specific information look up can be done in very short order at that This mgges on by no means challenges your anathema to seek the information nor a indicate cm unwillingness an am part to wppbi the requested iry onnation and if our suggestion is not samfactory we will proceed with gathering that irjormation which 1 IUSWIT 2 237 4846 13 03 1 require afew weeks or more of my sta time to construct the complete irg irmarimi S'et il all i users I I i We shall immediately begin to gather the rst set of information some ofwluch may have to wait until Monday December 14 1998 for my security of cer system administrator to return from a national meeting I will await year advisement on the above offer before we begin the more protracted information gathering work since it is not possible to comply within the three days for those items anyway I believe we can readily supply Appendix B items 1 and 2 but the detail collected Owl Iwill know better about this It occurs to me that the mail logs may be available for that period and may provide supplementary information about communication targets by the mail agent i believe we can supply Appendix insofar as we can supply the items under Appendix BASS-C understand the request in Appendix D that information will be contained in the information under Appendix A insofar as information available to us Additionally I will asli to offer other legs which may be relevant to the investigation you detailed for us in your application for and to offer any other suggestions we initially observed after the situation had been rst brought to our attention We shall begin complying with this order immediately and will await your counsel on the suggestion I offered above since I would think it in no way hinders your investigation and may well speed up our ability to get the more important logs for your initial inspection Sincerely For Information Technologies CC ALL EEFE lb 131213 EQTE B l 9812 J Ol3wwk10 ins igation was conducted by Special Agent SA at South Bend Indiana on 12 09 1998 I He advised his assistant is out of town and will return to the office on 12 14 1998 I 503 1336 b7C OTHER Sealed Ceurt Documents 1 1 nm m9 13-2s12 12 31 1995 MAM 01999 FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 04 21 1999 Attn er Squad 4 From Philadelphia Newtown Square Resident Aqencv Contact SA Approved By Drafted By Case ID Pending Title cm 5% MOONLIGHT MAZE Svnopsis WVCB Forwarding pen registe U3 13$ Der Package Copyzwiigil I ltne pen reqisterl Enc arel the pen reoisterl I Details miiBj Philadelphia is forwardinq pen reqister 90 3933 ALL FBI HEREIE IE3 mum-users BY SECRE FORN April 15 1999 RE U RECENT DEVELOPMENTS - U On 4 2 1999 the Moonlight Maze Coordination Group MMCG deployed a team to Moscow Russiaj The team consisted of the case agent om FBI Baltimore a language specialist from FBI San Francisco a supervisory special agent from FBIHQ a representative from NASA and two representatives om Air Force Of ce of Special Investigations U The MMCG team discussed the details of the intrusions previously identi ed by the MMCG The MMCG briefed several investigators on the details of the case and requested assistance to determine the origin of 9 the intrusions The team discussed connection data om ve computer intrusions involving b systems from the Army Navy NASA and a commercial Internet Service Provider ISPassigned a team of investigators to each ISP The MMCG team traveled withl I I The two oth lteams determined that lhad gone bankrupt and mergedl Brie ng Book 1 1 18 Derive ources Dec 11 X1 SECWRN q 43310 1 15 Mth e FpWi gB SMFORN U provided the team with a memorandum of which a transcribed copy is attached to this note which explained that they would present the evidence to the Prosecutor's Of ce for a decision about opening a criminal case Ill The MMCG returned from Moscow on 4 1 0 1999 On 4 1 5 1999 I contacte to obtain an update on their investigation I I i During the week of have advised the Legat that they will provide him with the intruder's identity after they brief replacement and obtain his approval W Deputy Assistant Directoxi is scheduled to meet with the NIPC's Interagency Senior Coordinating Group on Monday 4 19 1999 to update them on the MMCG's activities and obtain information om the intelligence community about any recent intelligence collection concerning this matter BACKGROUND U is the code name for a number of investigations of intrusions into various military governmental educational and other computer systems in the United States United Kingdom Canada Brazil and Germany Field investigations are being conducted by the Albuquerque Baltimore Cincinnati Jackson New Orleans and Spring eld Divisions as Of ces of Origin and the Atlanta Boston Charlotte Detroit Indianapolis Jacksonville Knoxville Mobile New York Pittsburgh Salt Lake City San Francisco and Washington Field Divisions as Lead Of ces The National Infrastructure Protection Center SEC FORN -2- 3073 $36 2 371 SEGMORN NIPC is coordinating these investigations with investigators from the Air Force Of ce of Special Investigations Army Naval Criminal Investigative Service Defense Criminal Investigative Service National Aeronautics ace Administration De artment Of Energy Re rerrai Consul well as thel The NIPC is also coordinating intematinnallvl I 2137 The NIPC has ensured that Legats London Moscow and Ottawa are advised of the investigation in their respective territory U These investigations were initiated when intrusions were discovered at Wright Patterson Air Force Base WPAFB Ohio and the Army Research Laboratory ARL Maryland and other unclassi ed military systems as well as various governmental commercial and educational computer systems in the United States U The intruder s into WPAF B went through the University of Cincinnati Cincinnati Ohio I 2333 IA pen register and trap and tracd 33 7 a U Intrusions into DOE systems include intrusion activity at Los Alamos National Laboratory LANL Sandia National Laboratory SNL Lawrence Livermore National Laboratory LLNL and Brookhaven National Laboratory DOE's Computer Incident Advisory Capability CIAC has been active in this incident Activity on DOE systems has been con ned to unclassi ed networks in In 7 SECWORN b3 b7C 2137B b7E On 12 12 1998 the Metropolitan Police in London England installed a new ReferralfCOESUlt SECRMFORN CU On 1 8 1999 Deputy Assistant Director DAD Michael A Vatis and Section Chief Kenneth M Geide briefed Dr Hamre updating him regarding captioned matter TI Referral Consult succeeded in intruding into Department of Defense DOD computer systems The intruder s continues to mainly Operate Monday through Friday during European business hours Notably the intruder s was active on 12 25 1998 a weekday but was not active on 1 7-8 1999 both U As of 1 13 1999 the intruder s continued to attempt and in some instance weekdays and Orthodox Christmas holidays in Russia On 1 13 1999 DAD Vatis hosted a meeting with senior representatives from the agencies involved in captioned matter as victims and or investigators The principals who attended the meeting were Major General John Campbell Commander JTF-CND DOD Ms Sheila Dryden Principle Director for Security and Information Operations Of ce of ann Referral Consult SEC OFORN -5- SEWFORN Peferral Coneult Mr Edward Curran Director Of ce of Counterintelligence DOE Ms Roberta Gross Inspector General NASA The purpose of this meeting was to brief the status of captioned matter and to discuss next steps The attendees Were advised ReferraiXConsult 0 that the NIPC is coordinating the investi ation and analysis of with full participation by DOD IDOE NASA Department of Justice I that numerous FBI eld of ces are investigating this matter collecting evidence primarily transnational data from the ever expanding number of victims 0 that the NIPC Cyber Emergency Support Team CEST is providing technical assistance to victim sites and eld of ces and is conducting the technical analysis of the transnational logs obtained from the victim sites Referral Consult 0 that the NIPC is working with Army and Navy to determine the feasibility and desirability for setting up an electronic honeypot to assist in attributing the intrusions - that the NIPC was considering making contact to request assistance in resolving this investigation Referral Censult SECRET ORN Referralf Consult U On 1 16 1999 investigation determined that an account belonging tol I I During an interview of by his supervisor on 1 22 1999 he admitted to illicitly downloading les his wife's account on stated that he did not know tha when he signed onto the it account to obtain a copy of the hacker tools IP address of where the tools were located Once signed 0 ate th followed the intruder's path in an effort to locate the tools as being monitored Ionlv had the system unable to locate the tools in a speci c directory subsequently began searching the intruder's directories for les and downloaded thre search anta 3 les to his machine in Ellicott City Maryland FBI Baltimore executed a residence seizing ve computers two of which were owned by employer The systems are being examined by the Computer Analysis and Response Team CART Laboratory Division U On 1 18 1999 the NIPC was noti ed from the victimized regarding a compromise at the Brookhaven National Laboratory located in Long Island New York Also compromised the same day was an Army network located in Vicksburg Mississippi The compromise was of a super computing center containing Cray and supercomputers The Army CID is determining the damage to the supercomputers site in London SEC INO RN b6 b7C b7E b7D SECRE OFORN Referral Consult J1 U On 2 25 1999 the FBI briefed captioned matter to key staff members of the House Permanent Select Co mittee or Intelligence and the Senate Select Committee for Intelligence Representatives from and DOD's Joint Task Force - Computer Network Defense CND also participated in these brie ngs U requested to be told without compromising the investigation what is going on asked Is Weldon exaggerating How do the recent attacks differ from what has happened so far Weldon says the 'electronic Pearl Harbor' of which Hamre spoke last year has gone om if to when and the'when is today would like to speak to somebody at the Pentagon on the record about this if 6 U On 2 25 1999 and again on 2 26 1999I Iattempted to telephonically contact Douglas G Perritt Deputy Director NIPC in an effort to obtain omment regarding comments attributed to Representative Weldon Perritt has not responded telephone calls U On 3 1 1999 Defense Week published an article Hamre to Hill 'We're in a Cyberwar a copy of which is attached concerning Dr Hamre's testimony The article does not mention the Russian connection but otherwise captures the gist of Dr Hamre's testimonv Referral Consult SMFORN Referral Consult U On 3 4 1999 ABC News and the web site aired a story Target Pentagon Cyber Attack Mounted Through Russia This report apparently stems om the earlier report on 3 1 1999 by Defense Week concerning Deputy Secretary of Defense John Hamre's testimony on before the House National Security Committee and the Research and Development Sub Committee Other related articles which have also been posted on the web are Currently Under Cyber Attack posted by AntiOnline on 3 4 1999 Pentagon and Hackers in Cyberwar' posted by on 3 4 1999 Pentagon hackers traced to Russia posted by CNNInteractive on 3 5 1999 Pentagon 'at war with computer hackers posted by CNNInteractive on 3 5 1999 and Electronic Desert Storm posted by AntiOnline on 3 5 1999 The New York Times and New York Times Online also posted two articles Computer Hackers are Stopped and Hacker 'Attacks' On Pentagon May Be More Like Espionage posted 3 5 1999 and 3 8 1999 respectively regarding this investigation A c0py of these articles are attached to this note Reports of information attributed to interviews of Representative Curt Weldon Chairman House National Security Committee and Deputy Secretary of Defense Hamre have also been aired periodically on CNN Headline News since 3 5 1999 The ABC story reported that the Pentagon's military computer systems are being subjected too ongoing sophisticated and organized cyber attacks And unlike in past attacks by teenage hackers of cials believe the latest series of strikes at defense networks may be a concerted and coordinated effort coming from abroad Until Friday the Defense Department had not publicly acknowledged this latest cyber war But in an interview with ABCNEWS Deputy Secretary of Defense Hamre who oversees all Pentagon computer security matters con rmed the attacks have occurred over the last several months and called them 'a major concern The ABCNEWS article noted that this is an ongoing law enforcement and intelligence matter Of cials believe some of the most sophisticated attacks are coming from Russia Federal investigators are detecting probes and attacks on US military research and technology systems including the nuclear weapons laboratories run by the Department of Energy U The 3 8 1999 New York Times article stated that In recent weeks Government of cials involved with defense have described a new kind of 'cyberwar being fought on the SEWOFORN Internet with unknown hackers unleashing relentless assaults on military computers This article noted that some computer security experts stress that while the hacker activity that the House heard about is a potential threat calling it an attack could be an overstatemen This article also noted that The Pentagon has said that as is the case with the vast majority of hacking attempts the recent probes did not result in the penetration of any computers storing sensitive information Representative Weldon is quoted as stating We know of banks who've had their re walls broken and money transferred out and they're not going to talk about it Representative Weldon noted that the private sector needs to cooperate more with the government in this area U In light of the press coverage the consensus among the participating agencies was that we had no real choice but to go directly to with a request for assistance to investigate selected intrusion activity captured during this investigation The NIPC working with the Department of Justice and other Federal Investigative Agencies I 11 7 Th MMCG described below re ared an erations nlan which was subsecuentlv approved I Referral Consult U In spite of the ABC story on 3 4 1999 intrusions continued On 3 5 1999 between 0228 and 0906 Eastern Standard Time EST there were two intrusions into LLNL one intrusion into Lawrence Berkeley Laboratory LBL and one intrusion into Argonne National 337 Laboratory passing through Jefferson County Library -10- SECRMFORN These intrusions are consistent with other intrusions associated with These intrusions are signi cant in that they occurred well after the national press releases regarding the 3373 U On 3 1 1999 the MMCG was established to strengthen the focus and assessment of the intrusion activities related to this investigation The MMCG is composed of forty personnel from the following law enforcement intelligence and Computer Emergency Response Teams CERT organizations TF -CND DISA Department of Justice DOJ Department of Energy DOE National Aeronautical and Space Administration NASA Air Force Of ce of Special Investigations AFOSI Naval criminal Investigative Service N CIS Defense Criminal Investigative Service DCIS US Army Criminal Investigative Division U SACID US Army Militarv Intelli ence USAMI Defense Intelligence Agency DIA Re ferral Consult Air Force Information Warfare Center AF IWC Navy CERT Army CERT H1251 Baltimore urasian Section National Security Division and the NIPC 133379 On 4 2 1999 a team from the MMCG deployed to Moscow Russia to work 307 this matter The team returned to Washington DC on 4 10 1999 Prior to departure the tealn Referral Consult Managers I Concurrence the investigative teams travel have been obtained from the FBI International Relations Branch IRB Legat Moscow and US Ambassador Collins U I will keep you apprised of signi cant developments regarding this matter NOT APPROPRIATE FOR 0 THE PUBLIC SECMFORN 11 - tt W-lCI-Elitl' Rev 10-6-95 -1- FEDERAL BUREAU OF INVESTIGATION Date of transcription 3 2 2 9 9 I 133 Investigation on 3 12 99 at Mawr PA Fi1e# Qq Datedictated 3 18 99 3% by SA bp 1 This document contains neither recommendations nor conclusions of the FBI It is the pmperty of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency FD-302 Rev 10-6-95 -1- em LASEIFIEE Elf g air 53H U i mii l-E il Date of transcription 3 2 2 9 9 pen register Investigation on 3 12 99 Haverford PA Fi1e# 2884 1 68562 CM SA 3p Date dictated 3 18 99 This document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency b ON 133 - 1 lea ot c BQTE Eifwi m lfd 1 ALL FBI IIHEFEE 11 - SLES 5 5 3133 @335 fit 835 33 at ELI I3 EEK 3 23 I UNI Lima 3 PT 33 BREE 01 26 1998 MAEDE Lei- 93 1 ET FEDERAL BUREAU OF INVESTIGATION Precedence PRIORITY Date 05 07 1999 To National Security Attn Room 11887 SSA Moscow Attn Leg 1 Ala From Cincinnati Contact SI Approved By Drafted By bb Case ID Pending 00 Title LUCK MOONLIGHT MAZE mm I I 13713 Enclosures5m a l I pen registersl Him De' -3 Sify 1 Details im - For the information of Legat Moscow and by way of brief background captioned matter is a code name involving unauthorized intrusions into sundry military governmental educational and other computer network systems throughout the United States United Kingdom Canada and Europe The National Infrastructure Protection Center NIPC located at FBIHQ is coordinating these investigations with FBI Field Offices with pending Field investigations and with investigators from other U S Government Agencies gaff 9 my g fj af a EC 3 Dias - i C2551 Fin 1% 5 5 311 3 i331 3 7 ET To- a ional Security From Cincinnati ReiUi 05 07 1999 The unauthorized computer intrusions were initially discovered at Wright Patterson Air Force Base WPAFB Dayton Ohio and the Army Research Laboratory ARL Maryland With respect to the Cincinnati Division's investigation of captioned matter the intrusions into WPAFB went throuqh the University of Cincinnati UC Cincinnati Ohio 21 33 I A th racists and tran and b7E I 1 r2 pl m b a PeferraliConsult mm inves 1ga ors were rle on details b6 of the intrusions and were requested to assist in determininq the b C oricin of the intrusions 331 2333 3 To National Security From Cincinnati Re 05 07 1999 is cs 999999 Leqat 99999 Mos-co w wi-s 777777 rerqu st i s6 To National Security From Cincinnati 05 07 1999 LEAD 8 Set Lead 1 MOSCOW AT MOSCOW RUSSIA iUl g 1 c-nninn ti respectfully requests that Legat Moscow follow up on SA case summary presentation of captioned matter Enclosed computer evidence logs are for the benefit of Legat Moscow 1 records ffJis to be sent to the Cincinnati Division for proper dissemination and storage W 93 Tpaat Moscow is requested to obtain ff EEf r assist in their investigation ET t5 4 ox x1 CEO Original evidence procured tm B 3 Copies of all should be directed to the NIPC Unit and the Cincinnati Division Cincinnati appreciates Legat Moscow's assistance in this matter 00 it File No 288-CI-68562 ALL HEREIN Is inacLassIFIss DATE museum Embassy of the Umtedi ies 1999 3r t ar Of ce of the Legal @3331 United States Embassy Moscow Russia 10 June 1999 f b 7 r Attn 1 371 RE Attacks on U S Computer Networks Deal During the visit of our investigators to in April 1999 your of cers were briefed about additional intrusions into the commuter network at Wright Paterson Air Force Rae 7 7 E2 We request that we be provided with copies of the computer logs Sincerely yours NW 434 9 6 Legal Attache 7 By As51stant Legal Attache b 'o 7 MW Eli-I 01 26 1998 WNOFORN Precedence PRIORITY Date 07 08 1999 To Criminal Investigative Attn SSE National Security Attn NIPC SSA Baltimore cinna b6 From Moscow Contact Approved By an nmcf 3 50 Drafted By MW fr Case ID U Pending U Pending 460 U amending ID Title U MOONLIGHT MAZE Synopsisquj SQNF Use of information in referenced ECReference U Serial 56 Referenced EC from Moscow dated 6 28 99 re or sults of interviews with personnell concerning captioned matter On 7 8 99 Legat Moscow received a fax requesting how that information could be used and reported b D I Referenced communication was classified in keeping with other communications received from FBIHQ Obviously dissemination should be in accordance with that classification and the CZ - fjj e - To Criminal Investigative From Moscow Re U 07 08 1999 LEAD S Set Lead 1 Adm 99 ALL RECEIVING OFFI CES U Read and clear MNOFORN 2 b7D 01 26 1998 To From Precedence ALL CSHTAII-IED IS 135$ FEDERAL BUREAU OF INVESTIGATION 1999 PRIORITY All Field Offices National Security Newark Attn Attn Date 10 06 1999 SAC SSA Room 11719 Contact Approved By a ox Mru Drafted By 9 I gBending Ea Case ID Titlezl ET MELISSA IMPAIRMENT INFO AKA Synopsis To request all field offices to gather and report damages to victims infected by the Melissa Macro Virus Details For information of receiving offices the Newark Division is requesting the assistance of all field offices in identifying and reporting damages caused by the Melissa Macro Virus to corporations organizations and agencies including federal state respective territories investigative activities ongoing investigation of and local government in their The following is a summary of and developments pertaining to the the MMV On 3 26 99 the MMV was proliferated on an America Online network news server through a posting to the alt sex news rou a stolen AOL account belonging to the screen name posting contained a file document called list doc names of alleged cracked pornographic websites An attachment to the posting contained The newsgroup called list zip which contained a The list doc document contained the MMV The MMV infected those using Microsoft Windows and Microsoft Word Outlook and Outlook Express MMV was coded to users email address book send an infected document to the first 50 addresses in each The compounding effect of MMV i136 2337C proliferation caused many email servers throughout the U S and - J48 g 065% Leak eege m v ff' 14 67 To All Field fices From Newark Re 288AHNK-99660 10 06 1999 rest of the world to crash Systems administrators and Information Technology personnel scrambled to mitigate the effects of MMV on their systems - On 4 1 99 the Newark Division and the New Jerse Dn'l'imn TJH r rh 'T'n 'h'nnlogy Crime Unit arrested pursuant to a state of New Jersey arranr obtained Monmouth County Superior Court Judge was charged with second degree offenses of interruption of public communication conspiracy to commit the offense and attempt to commit the offense third degree theft of computer service and third degree damage or wrongful access to computer systems relating to the propagation of the computer macro virus kno n as WELISSAP Earlier that evening prior to the arrest of the Newark the NJSP exe New Jersey search warrant at residence The initial information leading to the arrest and execution of search warrants came from Am r' Online Inc Dulles icontacted the State of New Jersey Attorney Generars Office with lead information with respect to MELISSA The State Attorney Generars Office enlisted the NJSP High Technology Crime Unit who in turn enlisted the assistance of the Newark FBI NIPC squad warrants at 136 b7C I On 4 16 99 Newark anc the NJSP seized from 14 back up cartridges and other computer evidence fro The District of New Jersey U S Attorneys Office and the Attorney Generars Office for the state of New Jersey anticipate returning simultaneous indictments on or about October 31 1999 To aid the prosecution it has been requested that Newark obtain detailed victim information relating to damages caused by the Melissa Macro Virus This information is critical to the prosecution of captioned subject s Questions regardirg this communication should be b6 directed to SA Newark Divisinwg NTPC Squad at b7C Franklin Townsaip RA telephone To All Field Offices From Newark Re 10 06 1999 LEAD S Set Lead 1 ALL RECEIVING OFFICES Newark requests all field offices to identify victim corporations organizations and agencies including federal state and local government in their respective territories infected by the Melissa Macro Virus Newark recognizes that this is an inherently difficult task and asks field offices to utilize liaison contacts including those developed through the Key Asset and InfraGard Programs where applicable Field divisions are also asked-to identify and follow up on'any complaints previously received relating to MMV and report those instances to Newark If necessary Federal Grand Jury subpoenas will be made available when requested Victims should report in dollars their best calculation of the damages caused by MMV Victims may be asked to verify their reported damages in federal court Information requested should detail the nature and extent of damages caused by MMV including but not limited to the following areas email servers desktop computers and other computer hardware affected computer system downtime personnel time including overtime for corrective action lost productivity lost contracts and missed business opportunities diminished profits consulting expenses infrastructure costs lost customers and sensitive data leakage Set Lead NATIONAL SECURITY AT WASHINGTON DC Read and clear 06 1 Rev 5-3-31 Mount Ckpping in Space Below 5 11 EEFFIJEZLIRTI SEE E HEREIEEJ I3 DEER 693- newspaper Date 3 7 0 52 516 2 Character or hdicate page we Edition Final True Ll TNT 4535 3121 awash 5 Eric Pay 52 It city and state i Newgw eg lo 101% 034 - Make case i Ches ica on Submimno 0m cincinnati lndexing RUSSIAN HAGKERS MAY HAVE PULLED OFF WHAT COULD BE THE MOST DAMAGING BREACH EVER 0F GOMPUTER SECURITY BY GREGORY VISTI CA BEING CALLED Moonlight Maze an ap- propriately name for one of the mostpoten- tially damaging breaches of American computer security ever serious enough for the Departmentof Defense to or- der all of its civilian and mili- tary employees to change their computer passwords bylast month the rst time this pre caution has ever been taken en masse The suspects crack cy- berspooks fromthe Russian Academy of Scrences a government supported organization that inter acts with Russia s top military labs The tar- gets computer systems atthe Departments of Defense and Energy military contractors and leading civilian univer- sities The haul vast quantities of data that intelligence sources familiarwith the case tell NEWSWEEK couldinclude classi ed naval codes and in- formation on missile guid ance systems This was Penta- gon o icials say atly a state-sponsored Russian intel- ligence effortto get us tech- nologyLas faras is known the rstsuch attempt ever by Russia Washington has not yetprotested to Moscow But Deputy Secretary ofDefense John Hamre who has briefed congressional committees on the investigation has told col- NEWSWEEK SEPTEMBER 20 1999 Ill o mr wr leagues Were in the middle of a cyberwar In a erwar the offensive force picks the battle eld and the other side may not even realize when it s under attack Defense Department of cials believe the intrusions which they describe as sophisticat- ed patient andpersistent began at a low level of access inJanuary Security Sleuths spotted them almost immedi- ately and b ack hacked the source to computers in Rus- sia Soon though the attack- ers develop ed new tools that allowed them to enter undetected al- though they sometimes left electronic traces that could be recon- structed later Intelli- gence sources say the perpetrators even gained root level ac- cess to some systems a depth usually restricted to a few administrators Afterthat we re not certain where they went says GOP - Rep Curt Weldon who has held classi ed hearings on A MoonlightMaze As a federal interagency task force begins its damage assessment a key question is whether the Russians man aged to jump from the unclas- I si ed although non-public systems where they made their initial penetration into the classi ed Defense Depart- ment networkthat contains the most sensitive data Ad- ministration o icials insist the rewalls between the networks would have pre- vented any such intrusion but othersources aren t so sure Besides one intelligence o i- cial admitted classi ed data often lurk in unclassi ed databases With enough time and computer power the Rus sians could sift through their mountains ofpilfered infor- mation and deduce those se- crets they didn t directly steal That s one more thing to wor- ry about although security officials admit that they have a more pressing concern The intruders haven tbeen spot ted on the network since May 14 Have they given up their efforts or burrowed so deeply into the network thatthey can no longer eveh be tracedp amalgam HW- germ ff a M7 vim ALL EHFURHATIDN CDHTAIHEB HERE IS UHELASEEIFIED EETE 63334XUE bawfsahfaiD 896 1240 P 01 JAN-05439 TUE 17112 HHVERFURD COLLEGE N05'92 54450 Haverford College 370 Lancaster Avenue I Haverford PA 190414392 Fax 610 895-1240 Dcrte Sent I IS IQ gal Pages 4% Including this page b6 - 4' blew tab lou mew VHJB 0 303 OTHER Sealed Court DOC om 46v Ma 4455 Yd 49% f go 234% 48474 g g xloo #116 - k 4 144244 44 1 1 3 1 4434 444441444 4444- m cm 777777 DEELAESIFIED E535 E 313Efiljlf gib azafisabjall E23 W MINOFORN Chinese hackers to enter the country's security systems We have set up a round-the-clock monitor system and installed various security programs and rewalls to keep the Chinese Communists from trying to disrupt our networks said Chang Chia-sheng the defense ministry's cyber information head The military and security networks are independent with no links to the Internet making it dif cult for Chinese hackers to sabotage Chang said Taiwan's security authorities have discovered more than 7 000 recent attempts by Chinese hackers to enter the island's security and military systems through Internet Web sites Chang said Militazy - NTR US SECTOR INFORMATION Banking and Finance - U 7 March Although some reports seem to indicate that online banking is not having the acceptance once predicted for this online service a recently released report to an Independent Community Bankers of America conference by Grant Thornton LLP a major accounting and management consulting rm states that community banks recognize the need to use the Internet to-serve and retain customers In an interview with Linda Garvelink director of marketing for nancial services at Grant Thornton de ned community banks as those which are focused on their local communities are independent in attitude and direction and generally have assets under $10 billion The banks participating in the survey have average assets for 1999 of $195 million and nearly two-thirds are privately held The Grant Thornton survey found that by the end of 2000 78 percent of community banks will have a Web site - a substantial increase from the 55 percent that had Web sites at the end of 1999 Telecommunications - NTR Electric Power- NTR ransgortation - NTR Gas Oil Storage Distribution - NTR Water Supply - NTR Emergencv Services - NTR Government Service - NTR SECTION - INTRUSION INCIDENT REPORTING LAW ENFORCEMENT SENSITIVE Information in this Section is for FBI use controlled by the originator and not to be disseminated without the written approval of the MPC - NTR SECTION - CLASSIFIED JTF-CND 7 March ITF-CND J2 assesses that the series of intrusions investigated as Moonlight Maze is more than likely a manifestation MMOFORN 2539 t 135$ aux 1m Derived fro ment Decl m Docu - 1b 6 Pag vb 7 ALL HEREIN Iii-E3 UNCLASSIFIED PETE 03 31 00 ew Document Attributes ECFVAOMO 11 19 27 Orig Office DG Responses Document Type EC Text Document Date 07 06 NATIONAL SECURITY From NATIONAL SECURITY Case ID Serial 111 Topic TO REQUEST SECTION CHIEFS APPROVAL OF THE OPERATIONS Author be Approver I b7 Ref Case ID Serial Class Level SN Authority Duration SCI Rule 6 e Caveats Secure Doc Command F1 Help F3 Exit F4 Prompt F6 Multv F142List F16 NextDoc Aff g Z Mf a z DEELASSIFIEE EEK E3 w1 2312 Rev 10-01-1999 Precedence ROUTINE Date 03 28 2000 To Cincinnati Attn ECT From Cincinnati Squad 4 Contact Approved By Drafted By bb case ID # mM Pending Inactive Title 113994 MOONLIGHT MAZE Synopsiszwi sj Explanation for tardiness of evidence returned to the CI Division's evidence storage room beyond the ten day rule NH ESQ Deri -3 Sify On DetailJp3 ZB For information of the file pursuant to a review of all pending CI Division cases with evidence collected instant communication addresses the reason for collected evidence returned to the CI Division's evidence storage room beyond the ten day rule A review of the Chain of Custody FD-192 reveals that the collected evidence was returned to the United States Air Force Office of Special Investigations AFOSI upon learning that the CI FBI Division did not have the capability to duplicate working copies of computer data disks and cartridges As a result the collected evidence was furnished to AFOSI and was sent to a computer laboratory in Washington D C for analysis prior to its return to the CI FBI Field Office for proper storage The aforementioned response unequivocally explains the short elay in returning collected evidence to the CI Division's storage room was a c fmmz'HV7g - 52 21 a 1n - o- n nun - n- 31 I 0 0 it - mgr m 3M EECLRESIFIEE ET Eg ibm Electric Power - ransgortation - Telecommunications - NTR Banking and Finance NTR Gas Oil Storage Distribution - NTR Water Sugglv - NTR Emergenqv Services NTR Government Service - NTR SECTION - INTRUSION INCIDENT REPORTING LAW ENFORCEMENT SENSITIVE nformation in this Section is for FBI use controlled by the originator and not to be disseminated without the written approval of the NIPC INOFORN -m mez Eff an FD-542 Rev 11-02-1999 - FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 10 10 2000 To eincinnati From Cincinnati Squad 4 Contact SA be Approved By b7c Drafted By Case ID # mnupsg 288A-CI-68562 Pending Inactive Title in gso MOONLIGHT MAZE Claiming statistical accomplishments concerning captioned matter UH Deri 6-3 Dec fy X1 Details m 8 During the course of captioned investigation which was initiated at the CI Division commencing in the summer of 1998 and extending up and through the years 1999 and 2000 several statistical accomplishments were earned It was not until the introduction of the new FD-542 form that these accomplishments could be highlighted and claimed as statistical accomplishments Statistical accomplishments claimed are as follows 0 6 I cm g3 2 Initiation of NonuDA Joint b3 Operation Investigation stat previously claimed Serial 27 be Ur-94$ 3 m 4_ Ul233 5 Eleven 11 NIPCIP 2703 f Orders obtained MT 0 22 maywas Up oaded Oj a 21 0 E0 Sm 0 To i cinnati From Cincinnati 10 10 2000 Ui si 6 Two 2 NIPCIP 2703 f Orders served at UC and WSU UL b3 7 Pen Register Trap and Trace Wi 8 One 1 NIPCIP Foreign Source IP Address Identified UFCKE 9 One 1 NIPCIP Subject Identified NoanS Person 10 One 1 NIPCIP Subject Tool Exploit Malicious Code Identified m 3x6 11 Ten 10 or more Positive Intelligence Reported Disseminated to U S Intelligence community To Cincinnati From Cincinnati Re 3 7 029 10 10 2000 Accomplishment Information Number 11 Type ITU LIAISON WITH OTHER AGENCY ITU NIPCIP Claimed By SSN Name Squad 4 Number 2 Type l I ITU 0 OT ER ITU NIPCIP Claimed By SSN Name Squad 4 Number 11 Type NIPCIP 2703 f ORDER SERVED ITU LIAISON WITH OTHER AGENCY ITU NIPCIP Claimed By SSN Name Squad 4 Number 2 Type NIPCIP PEN REGISTER TRAP AND TRACE SERVED ITU LIAISON WITH OTHER AGENCY ITU NIPCIP Claimed By SSN Name Squad 4 Number 1 Type NIPCIP FOREIGN SOURCE IP ADDRESS IDENTIFIED ITU LIAISON WITH OTHER AGENCY ITU NIPCIP Claimed By SSN Name Squad 4 b ON I t 0 To Cincinnati From Cincinnati Re wrl8 10 10 2000 Number 1 Type NIPCIP SUBJECT IDENTIFIED ITU LIAISON WITH OTHER AGENCY ITU NIPCIP Claimed By SSN Name Squad 4 Number 1 Type NIPCIP SUBJECT CODE IDENTIFIED ITU LIAISON WITH OTHER AGENCY ITU NIPCIP Claimed SSN 30 Name Squad 4 Number 10 Type POSITIVE INTELLIGENCE DISSEMINATED OUTSIDE FBI ITU LIAISON WITH OTHER AGENCY ITU NIPCIP Claimed By' SSN Name Squad 4 00 ALL IS FD-542 Rev 11-02-1999EUUC if am 3 9 FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 03 01 2001 i To Cincinnati From Philadelphia - Newtown Square Resident Agency Contact SAI Approved By bin Drafted By Case ID pending SUB Pending Title MOONLIGHT MAZE Synopsis Report statistical accomplishments Detailszl I la Pen Redister Tran and Tracd I To Cincinnati IL-rom Philadelphia Re 03 01 200l Accomplishment Information Number- 1 Type ITU Claimed By SSN Name Squad NSRA Number 1 Type NIPCIP PEN REGISTER TRAP AND TRACE SERVED ITU NIPCIP Claimed By- SSN Name Squad NSRA ti To Cincinnati Philadelphia Re 288A-CI-68562 03 01 2001 Set Lead 1 Adm CINCINNATI Read and clear be cc SSAI b7c SQ 9 00 I A ALL IEFBEKATISN EBETAIREE HERE 11% 3 33 132% DETE BY FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 01 09 2008 To Cincinnati Attn I Attn I From Cincinnati Squad 13 Contactzl I Approved By V y Drafted By Case ID Title s Pending AIR FORCE INSTITUTE OF TECHNOLOGY MOONLIGHT MAZE Synopsis To reassign case Per SSAI this case is being reassigned to SA for the purposes 0 disposing of pending evidence 004912 W w WW5 E363 ib7C To Cincinnati Fiom Cincinnati Re 01 09 2008 Set Lead 1 Action CINCINNATI AT CINCINNATI OH Please coordinate with ECT of all pending lB's Set Lead 2 Info CINCINNATI AT CINCINNATI OH Read and Clear 06 to properly dispose ALL IMFDEIQTISN EEREIE ES TESL EEIFIED Bh l E LET mllmEiJiE B'f EBBEge ijhaw sebfain pK jk The following investigation was conducted by Special be Agent on January 10 2008 at Cincinnati Ohio b7C The inveftigating_AgeLt spoke telephonically with Task Force Officer United States Air Force Office of Special Investigations concerning the disposal of evidence associated with the above case number TFO reported that she would confer with her evidence hand 1ng personnel to determine proper steps for the disposition of this evidence DERIVED FROM 3 3 FBI Classi cation Guide 3 3 dated 1 97 Foreign CounterIntzelligence Investigations DEC CRET This email and any les transmitted with it are con dential and intended solely for the use of the individual or entity to whom they are addressed If you have received this email in error please notify the system manager This footnote also con rms that this email message has been swept by MlMEsweeper for the presence of computer viruses DERIVED FROM FBI Classi cation Guide dated 1 97 Foreign CounterIntelligence Investigations N 2033 01 15 ALL EEJFQPEEATIEEBE A 7 i mean 1 3 rims urwuwams er CI FBI From Cl FBI Sent '08 11 38 AM T0 FBI Subject RE Evidence Checks SENSITIVE BUT UNCLASSIFIED NON-RECORD 01-75935 - Do not Close SA 01-75975- Do Not Close - SA Do Not Close - SA has 15 hard drives and one DVR remaining in this case has 2 1B items remaining paper CPU has 22 items remaining in this case Do Not Close SA has four 138 that contain CPU CD paper items index cards CI-73956- Do Not Close SA this case requires an EC to destroy 1B 3 4 cd 5-cds 8 9 10 1B 1 2 4 5-camera 6 7 CI-68562- Do Not Close SA just had this case reassigned to him to dispose of the evidence Okay to Close- SA has taken care of all the evidence in this case If you have any other questions please email me 6 Thanks for checking CI FBI SENSITIVE BUT UNCLASSIFIED ib7C czam 28 2008 10 07 AM Can you please check the following cases for pending evidence 196E-CI-75935 305B-CI-75975 3050-01-75438 Thanks aware i 2- SST - Cincinnati 4 Squad 13 I Desk 6 Fax - 519-8 246 0 367 Be more concerned with your character than with your reputation because your character is what you really are while your reputation is merely what others think you are John Wooden SENSITIVE BUT UNCLASSIFIED SENSITIVE BUT UNCLASSIFIED 1 IEFBREATESE EDETists new 1 36 2 2 airs E ii-2012 BY SBSEeEUCEbaszebfeie Rev 06-04-2007 FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 02 05 2008 To Cincinnati Attn Evidence Custodian ASAC From Cincinnati Squad 13 Contact SA 5 Approved By be ib7C W- i K'Drafted By Case ID 288A-CI-68562 Title MOONLIGHT To order destruction of stored evidence Synopsis Details Following discussions with Air Force Office of Special Investigations Special Agen in Which Division no objections were lodged and consultation With Chie Counsel Michael Brooks evidence items 1B1 through lBl6 inclusive are ordered destroyed These items consist of documentation and computer disks related to the instant case All have been in storage since before the turn of the century 5 036S r09u-31 To Cincinnati From Cincinnati Re 02 05 2008 Set Lead 1 Action CINCINNATI AT OH Evidence Custodian should destroy the evidence items described above 00 ALE HERE IN 15 Rev 06 04-2007 ESTES mag-3 313 B f atafeabfeia FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 02 22 2008 To Cincinnati From Cincinnati Squad 13 Contact SA Approved By Drafted By gxw Case ID Pending Title MOONLIGHT Synopsis To close case eference Serial 120 Details Per the referenced Serial all evidence collected during this investigation has been destroyed All investigative activity is complete and this case should be closed 00 98103 We 08 01 7 0523 5C FEDERAL BUREAU OF INVESTIGATION FOIPA DELETED PAOE INFORMATION SHEET Nc Duplicaticn Fees are charged fer Deleted Page Infc naticn Sheet sj Tctal Deleted Page sj 102 Page 3 133 he ETC Page 9 Duplicate Page 10 Duplicate Page 11 Duplicate Page 12 Duplicate Page 13 Duplicate Page 14 Duplicate Page 15 Duplicate Page 16 Duplicate Page Duplicate Page 13 Duplicate Page 33 Elli ETC EITE Page 34 Page 35 Page 36 Page Page 33 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page Page 43 Page 49 Page 90 ETD Page 91 Page 93 Elli Page 99 Page 100 Page 101 Page 102 Page 103 Page 104 Page 105 Page 10I5 Page Page 103 Page 109 Page 110 Page Page 112 Page 113 Page 114 Page 115 Page 116 Page 11 Page 113 Page 119 Page 126 Page 121 Page 122 Page 123 Page 124 Page 125 Page 126 Page Page 123 Page 129 Page 136 Page 131 Page 132 Page 133 Page 134 Page 135 EITE Page 136 Page Page 133 Page 139 Page 140 Page 141 Page 142 Page 143 Page 144 Page 145 Page 146 Page 147' Page 143 Page 149 Page 150 Page 151 Page 152 Page 153 Page 154 Page 155 Page 156 Page 153 Duplieate Page 166 b3 Sealed Cent-I Deements Page 167- 63 Sealed Ceurt Deemnents Page 163 133 Sealed Ceurt Deemnents Page 169 b3 Sealed Cent I Deeunlenta Page lTlIl 133 Sealed Cent l Deemnenta Page b3 Sealed Cami Deements Page 1T2 133 Sealed Ceurt Deemnents Page 1T3 ReferralfDireet Page 1T4 Referral- Direet Page 175 Referral- Direet Page 192 Referral- Direet Page 193 Referrale-ireet