SECRE FORN April 15 1999 Director reeh RE U RECENT DEVELOPMENTS - U On 4 2 1999 the Moonlight Maze Coordination Group MMCG deployed a team to Moscow Russiaj The team consisted of the case agent om FBI Baltimore 3 language specialist from FBI San Francisco a supervisory special agent from FBIHQ a representative from NASA and two representatives from Air Force Of ce of Special Investigations TD The MMCG team discussed the detai ls of the intrusions previously identi ed by the b6 MMCG The MMCG briefed several b7C investigators on the details of the case and requested assistance to determine the origin of the intrusions The team discussed connection data om ve computer intrusions involving systems from the Army Navy NASA and a commercial Internet Service Provider ISP investigators to each ISP The MMCG team traveled with I I The two otheri Iteams determined that lhad gone bankrupt and mergedBrie ng Book 1 1 18 Derive ources Dec 11 X1 $on q 7994 @5359 MS M21 Liz- 9 WSEB SMFORN 1379 U provided the team with a memorandum of which a transcribed copy is attached to this note which explained that they would present the evidence to the Prosecutor's Of ce for a decision about opening a criminal case U The MMCG re and from Moscow on 4 10 1999 On 4 15 1999 ALAT jc Icontacte to obtain an update on their investigation I I 137 During the week of IJ have advised the Le at that they will provide him with the intruder s identity after they brief replacement and obtain his approval Deputy Assistant Directox is scheduled to meet with the NIPC's Interagency Senior Coordinating Group on Monday 4 1 9 1999 to update them on the activities and obtain information om the intelligence community about any recent intelligence collection concerning this matter BACKGROUND U is the code name for a number of investigations of intrusions into various military governmental educational and other computer systems in the United States United Kingdom Canada Brazil and Germany Field investigations are being conducted by the Albuquerque Baltimore Cincinnati Jackson New Orleans and Springfield Divisions as Of ces of Origin and the Atlanta Boston Charlotte Detroit Indianapolis Jacksonville Knoxville Mobile New York Pittsburgh Salt Lake City San Francisco and Washington Field Divisions as Lead Of ces The National In astructure Protection Center SEC FORN SEWORN NIPC is coordinating these investigations with investigators from the Air Force Of ce of Special Investigations Army Naval Criminal Investigative Service Defense Criminal Investi ative Service National Aeronautics ace Administration De artment Of Energy as well asi NTPC is also b1 coordinating intematinnallvl The NIPC has 137 ensured that Legats London Moscow and Ottawa are advised of the investigation in their respective territory U These investigations were initiated when intrusions were discovered at Wright Patterson Air Force Base WPAF B Ohio and the Army Research Laboratory ARL Maryland and other unclassi ed military systems as well as various governmental commercial and educational computer systems in the United States U The intruder s into WPAF B went through the University of Cincinnati Cincinnati Ohio b3 b7E I IA nen register and trap and tracei U Intrusions into DOE systems include intrusion activity at Los Alamos National Laboratory OLANL Sandia National Laboratory SNL Lawrence Livermore National Laboratory LLNL and Brookhaven National Laboratory DOE's Computer Incident Advisory Capability CIAC has been active in this incident Activity on DOE systems has been con ned to unclassi ed networks b7E SECWORN W011 12 12 1998 the Metropolitan Police in London England installed a new b3 b6 b7C 1371 hi SECRMFORN b1 U On 1 8 1999 Deputy Assistant Director DAD Michael A Vatis and Section Chief Kenneth M Geide briefed Dr Harnre updating him regarding captioned matter999 the intruder s continued to attempt and in some instance succeeded in intruding into Department of Defense DOD computer systems The intruder s continues to mainly operate Monday through Friday during European business hours Notably the intruder s was active on 12 25 1998 a weekday but was not active on 1 7 8 1999 both weekdays and Orthodox Christmas holidays in Russia On 1 13 1999 DAD Vatis hosted a meeting with senior representatives from the agencies involved in captioned matter as victims and or investigators The principals who attended the meeting were Maj or General John Campbell Commander TF -CND DOD Ms Sheila Dryden Principle Director for Security and Information Operations Of ce of the Secretary of Defense DOD t SE SEC OFORN -5- SEWFORN an Mr Edward Curran Director Of ce of Counterintelligence DOE Ms Roberta Gross Inspector General NASA The purpose of this meeting was to brief the status of captioned matter and to discuss next steps The attendees were advised 0 that the NIPC is coordinating the investi ation and analysis of with full participation by DOD 7777777777 53 Justice - that numerous FBI eld of ces are investigating this matter collecting evidence primarily transnational data from the ever expanding number of Victims - that the NIPC Cyber Emergency Support Team CEST is providing technical assistance to victim sites and eld of ces and is conducting the technical analysis of the transnational logs obtained from the victim sites 0 that the NIPC is working with Army and Navy to determine the feasibility and desirability for setting up an electronic honeypot to assist in attributing the intrusions 0 that the NIPC was considering making contact to request assistance in resolving this investigation WAD Vatis then sought the views of the agencies on the next steps in order to reach a collective decision where possible and to determine where any disagreements lie The attendees responded positively to the status brie n There was unanimi amon the attendees b1 1372 hi 513$er pursue the criminal investigation of captioned matter especially collecting and analyzing computer log information obtained by court order from the numerous victims revealing the intruder s activities methodologies and targets The attendees also agreed that the NIPC should coordinate the development of a passive honeypot s at Army and or Navy victim sites that may assist in providing identifying information about the intruder his Internet Protocol address the Operating system running on his machine etc The group discussed the technical feasibility and conditions for creating a second honeypot s containing a beacon le This technique involves planting computer source code in a le that executes when retrieved by the intruder performing search activities in the intruder's computer and sending the results of the search to the investigators The group agreed that more information is required before this investigative step can be taken The NIPC will coordinate the development and execution of such a step as appropriate U On 1 16 1999 investigation determined that an account belonging to During an interview 01 lby his superv1sor on 1 22 19 1tted to illic1tly downloading les fro using his wife's account on 1 15 1999 itated that he did not know tha' was bein monitored when he signed onto 6 1t account to obtain a copy of the hack tools nly had the 1 address of where the tools were located Once signed nto th system I followed the intruder s path in an effort to locate the tools unable to locate the tools in a speci c directory subsequently began searching the intruder s directories for les and downloaded three les to his machine in Ellicott City Maryland FBI Baltimore executed a search warrant at residence seizing ve computers two of which were owned by employer The systems are being examined by the Computer Analysis and Response Team CART Laboratory Division U On 1 18 1999 the NIPC was noti ed from the victimized site in London regarding a compromise at the Brookhaven National Laboratory located in Long Island New York Also compromised the same day was an Army network located in Vicksburg Mississippi The compromise was of a super computing center containing Cray and supercomputers The Army CID is determining the damage to the supercomputers SEC RN b6 b7C b7E b E b7D WOFORN b1 U On 2 25 1999 the FBI briefed captioned matter to key staff members of the House Permanent Select Committee for Intelligence and the Senate Select Committee for Intelligence b1 Representatives from DOD's Joint Task Force - Computer Network Defense CND also participated 1n these brie ngs b6 U requested to be told without compromising the investigation what is MC going on asked Is Weldon exaggerating How do the recent attacks differ from what has happened so far Weldon says the 'electronic Pearl Harbc r' of which Hamre spoke last year has gone from if to when and the when is today would like to speak to somebody at the Pentagon on the record about this U On 2 25 1999 and again on 2 26 1999 attempted to telephonically contact Douglas G Perritt Deputy Director NIPC in an effort to obtain comment regarding comments attributed to Representative Weldon Perritt has not responded to telephone calls U On 3 1 1999 Defense Week published an article Hamre to Hill 'We're in a Cyberwar a copy of which is attached concerning Dr Hamre's testimony The article does not mention the Russian connection but otherwise captures the gist of Dr Hamre's testimony WEN b1 SEMFORN b1 U On 3 4 1999 ABC News and the web site aired a story Target Pentagon Cyber-Attack Mounted Through Russia This report apparently stems from the earlier report on 3 1 1999 by Defense Week concerning Deputy Secretary of Defense John Hamre s testimony on before the House National Security Committee and the Research and Development Sub Committee Other related articles which have also been posted on the web are Currently Under Cyber Attack posted by AntiOnline on 3 4 1999 Pentagon and Hackers in 'Cyberwar' posted by on 3 4 1999 Pentagon hackers traced to Russia posted by CNNInteractive on 3 5 1999 Pentagon 'at war' with computer hackers posted by CNNInteractive on 3 5 1999 and Electronic Desert Storm posted by AntiOnline on 3 5 1999 The New York Times and New York Times Online also posted two articles Computer Hackers are Stopped and Hacker 'Attacks' On Pentagon May Be More Like Espionage posted 3 5 1999 and 3 8 1999 respectively regarding this investigation A copy of these articles are attached to this note Reports of information attributed to interviews of Representative Curt Weldon Chairman House National Security Committee and Deputy Secretary of Defense Hamre have also been aired periodically on CNN Headline News since 3 5 1999 The ABC story reported that the Pentagon's military computer systems are being subjected too ongoing sophisticated and organized cyber attacks And unlike in past attacks by teenage hackers of cials believe the latest series of strikes at defense networks may be a concerted and coordinated effort coming from abroa Until Friday the Defense Department had not publicly acknowledged this latest cyber war But in an interview with ABCNEWS Deputy Secretary of Defense Harnre who oversees all Pentagon computer security matters con rmed the attacks have occurred over the last several months and called them 'a major concern The ABCNEWS article noted that this is an ongoing law enforcement and intelligence matter Of cials believe some of the most sophisticated attacks are coming om Russia Federal investigators are detecting probes and attacks on US military research and technology systems -- including the nuclear weapons laboratories run by the Department of Energy U The 3 8 1999 New York Times article stated that In recent weeks Government of cials involved with defense have described a new kind of 'cyberwar' being fought on the SEC OFORN Internet with unknown hackers unleashing relentless assaults on military computers This article noted that some computer security experts stress that while the hacker activity that article also noted that The Pentagon has said that as is the case with the vast majority of hacking attempts the recent probes did not result in the penetration of any computers storing sensitive information Representative Weldon is quoted as stating We know of banks who've had their re walls broken and money transferred out and they're not going to talk about it Representative Weldon noted that the private sector needs to cooperate more with the government in this area U In light of the press coverage the consensus among the participating agencies was that we had no real choice but to go directly to with a request for assistance to investigate selected intrusion activity captured during this investigation The NIPC working with the Department of Justice and other Federal Investigative Agencies I the House heard about is a potential threat calling it an attack could be an overstatemen This Th MMCG below re ared an eratlons plan which was subsequentlv approved I if U In spite of the ABC story on 3 4 1999 intrusions continued On 3 5 1999 between 0228 and 0906 Eastern Standard Time EST there were two intrusions into LLNL one intrusion into Lawrence Berkeley Laboratory LBL and one intrusion into Argonne National Laboratory passing through Jefferson County Library -10- b7D b1 SECRMFORN These intrusions are consistent with other intrusions associated with These intrusions are signi cant in that they occurred well after the national press releases regarding the 32f On 3 1 1999 the MMCG was established to strengthen the focus and assessment of the intrusion activities related to this investigation The MMCG is composed of forty personnel from the following law enforcemer t intelligence and Computer Emergency Response Teams CERT organizations I DOE National Aeronautical and Space Administration NASA Air Force Of ce of Special Investigations AF OSI Naval Criminal Investigative Service N CIS Defense Criminal Investigative Service DCIS US Army Criminal Investigative Division U SACID US Army Militarv Intelli ence U SAMI Defense Intelligence Agency DIA ll FBI Baltimore urasian Section National Security Division and the NIPC 4 2 1999 a team om the MMCG deployed to Moscow Russia to work this matter The team returned to Washington DC on 4 10 1999 Prior to departure the team received security brie ngs from FBIHO security personnel and NSD Russian Program Managers Concurrence regarding the investigative teams travel have been obtained from the FBI Si International Relations Branch IRB Legat Moscow and U S Ambassador Collins U I will keep you apprised of signi cant developments regarding this matter Air Force Information Warfare Center AFIWC Navy CERT Army CERT b7E bl b6 b7C                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu