Not Even the DoD is Secure!
Information security is constantly in the environment for the users and corporate systems. This affects consumers, business, government units, and many others. The level of security also varies with the data and information enclosed; the greater the sensitivity of the data, the greater level of security applied to the data and its location. The governmental units are across the nation. These may be the local municipality, the state police department, or units at the federal level. One unit which garners significant attention from across the world is the Department of Defense (DoD). In 2014, the DoD had a significant issue with a compromised system. The targeted system compromised was the military’s communication system. The attacker was a 25 year old from the UK (Cluley, 2017; Kumar, 2017). He was charged and pled guilty to successfully compromising the communication system (Cimpanu, 2017) through unauthorized access (Arghire, 2017).
People are not going to attack a system other than their own, unless they were to have authorized access or in the alternative the prize post successful attack is well worth the time, energy, effort, and risk. With these activities, the penalties, if the person is processed through the judicial system, tend to be rather harsh at this time. In this instance, the attacker exfiltrated DoD personnel’s rank, user names, phone numbers, and email addresses (Cluley, 2017) for 800 users and information on over 30,000 phones (Paganini, 2017; Page, 2017; Kumar, 2017, Arghire, 2017; Franceschi-Bicchierai, 2017). This also included the IMEI numbers for the DoD satellite phones (Cimpanu, 2017). This information on its own is valuable and could be sold for profit.
The target was the communication system the DoD used with their satellite phones. The attacker compromised the Enhanced Mobile Satellite Service network used by the DoD (Cluley, 2017). With attacking the DoD, it would be prudent to attempt to evade capture. In a vain attempt to throw law enforcement from himself, the pseudonym of “ISIS Freedom Fighters” was used.
The details for the attack methodology are rather scant. Generally there may be in the least a bit of a hint of how the attack was accomplished from some source. The US government has also refused to state how the attackers were successful (Kumar, 2017). Granted this is the better avenue to follow for national security, however once the issue with the system were to be fixed, the problematic nature of this would be relatively resolved. The attack occurred on June 15, 2014. The attacker was arrested in March 2015 (Cimpanu, 2017; Paganini, 2017).
With any potential breach, the attackers would need to be able to document the exfiltration in some form. Otherwise, they could simply be boasting. In this case the attackers posted a screen shot as the evidence of the act (Cluley, 2017). This was sufficient evidence for third parties to know this indeed occurred.
Not the Smartest Moves
When a person attacks another system, when not authorized and contracted to do so, generally there is a significant and concerted effort to not get caught. Being arrested post a compromise is clearly not the optimal situation. In this case, which is the alternative to this much more sage avenue, the attacker’s efforts to conceal his identity was not significant. He did not use any anonymity services, for example a proxy or VPN (Cluley, 2017; Kumar, 2017). He completed the attack from his home. The third strike was the data exfiltrated was still on his computer (Kumar, 2017; Page, 2017). The authorities used the attacker’s home IP address to easily search for him and arrest him (Kumar, 2017).
As noted, the DoD has not released how the attack was accomplished. This is understood due to the nature of the data that is held in their servers. The DoD did note however the issue was remediated. Although the attack was successful and a fair amount of data was exfiltrated, the remediation was not inexpensive (Cluley, 2017; Kumar, 207; Paganini, 2017). The cost approximately $628k to fix (Cimpanu, 2017; Page, 2017; Uchill, 2017; Franceschi-Bicchiera, 2017).
Arghire, I. (2017, June 16). Hacker admits stealing satellite data from DoD. Retrieved from http://www.securityweek.com/hacker-admits-stealing-satellite-data-dod/
Cimpanu, C. (2017, June 16). British hacker used home internet connection to hack the DoD in 2014. Retrieved from https://www.bleepingcomputer.com/news/security/british-hacker-used-home-internet-connection-to-hack-the-dod-in-2014/
Cluley, G. (2017, June 16). British hacker admits stealing satellite data from US Department of Defense. Retrieved from https://www.welivesecurity.com/2017/06/16/british-hacker-admits-stealing-satellite-data-us-department-defense/
Franceschi-Bicchierai, L. (2017, June 15). British hacker pleads guilty to hacking US military satellite phone and messaging system. Retrieved from https://motherboard.vice.com/en_us/article/british-hacker-pleads-guilty-to-hacking-us-military-satellite-phone-and-messaging-system
Kumar, M. (2017, June 15). 25-year-old hacker pleads guilty to hacking U.S. military satellite phone system. Retrieved from http://thehackernews.com/2017/06/british-hacker-military-system.html
Paganini, P. (2017, June 17). The british hacker sean caffrey, 25, from Sutton coldfield pleaded guilty to stealing satellite data from US Department of Defense (DoD). Retrieved from http://securityaffairs.com/wordpress/60158/data-breach/hacker-admitted-dod-hack.html
Page, C. (2017, June 16). Birmingham hacker fesses up to DoD satellite network attack. Retrieved from https://www.theinquirer.net/inquirer/news/302112/birmingham-hacker-fesses-up-to-dod-satellite-network-attack
Uchill, J. (2017, June 15). British hacker admits to accessing US military satellite system. Retrieved from http://thehill.com/busines-a-lobbying/337981-english-hacker-pleads-guilty-to-swiping-accounts-for-us-dod-satellite
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.