ALL FBI HEREIE IE3 mum-users BY SECRE FORN April 15 1999 RE U RECENT DEVELOPMENTS - U On 4 2 1999 the Moonlight Maze Coordination Group MMCG deployed a team to Moscow Russiaj The team consisted of the case agent om FBI Baltimore a language specialist from FBI San Francisco a supervisory special agent from FBIHQ a representative from NASA and two representatives om Air Force Of ce of Special Investigations U The MMCG team discussed the details of the intrusions previously identi ed by the MMCG The MMCG briefed several investigators on the details of the case and requested assistance to determine the origin of 9 the intrusions The team discussed connection data om ve computer intrusions involving b systems from the Army Navy NASA and a commercial Internet Service Provider ISPassigned a team of investigators to each ISP The MMCG team traveled withl I I The two oth lteams determined that lhad gone bankrupt and mergedl Brie ng Book 1 1 18 Derive ources Dec 11 X1 SECWRN q 43310 1 15 Mth e FpWi gB SMFORN U provided the team with a memorandum of which a transcribed copy is attached to this note which explained that they would present the evidence to the Prosecutor's Of ce for a decision about opening a criminal case Ill The MMCG returned from Moscow on 4 1 0 1999 On 4 1 5 1999 I contacte to obtain an update on their investigation I I i During the week of have advised the Legat that they will provide him with the intruder's identity after they brief replacement and obtain his approval W Deputy Assistant Directoxi is scheduled to meet with the NIPC's Interagency Senior Coordinating Group on Monday 4 19 1999 to update them on the MMCG's activities and obtain information om the intelligence community about any recent intelligence collection concerning this matter BACKGROUND U is the code name for a number of investigations of intrusions into various military governmental educational and other computer systems in the United States United Kingdom Canada Brazil and Germany Field investigations are being conducted by the Albuquerque Baltimore Cincinnati Jackson New Orleans and Spring eld Divisions as Of ces of Origin and the Atlanta Boston Charlotte Detroit Indianapolis Jacksonville Knoxville Mobile New York Pittsburgh Salt Lake City San Francisco and Washington Field Divisions as Lead Of ces The National Infrastructure Protection Center SEC FORN -2- 3073 $36 2 371 SEGMORN NIPC is coordinating these investigations with investigators from the Air Force Of ce of Special Investigations Army Naval Criminal Investigative Service Defense Criminal Investigative Service National Aeronautics ace Administration De artment Of Energy Re rerrai Consul well as thel The NIPC is also coordinating intematinnallvl I 2137 The NIPC has ensured that Legats London Moscow and Ottawa are advised of the investigation in their respective territory U These investigations were initiated when intrusions were discovered at Wright Patterson Air Force Base WPAFB Ohio and the Army Research Laboratory ARL Maryland and other unclassi ed military systems as well as various governmental commercial and educational computer systems in the United States U The intruder s into WPAF B went through the University of Cincinnati Cincinnati Ohio I 2333 IA pen register and trap and tracd 33 7 a U Intrusions into DOE systems include intrusion activity at Los Alamos National Laboratory LANL Sandia National Laboratory SNL Lawrence Livermore National Laboratory LLNL and Brookhaven National Laboratory DOE's Computer Incident Advisory Capability CIAC has been active in this incident Activity on DOE systems has been con ned to unclassi ed networks in In 7 SECWORN b3 b7C 2137B b7E On 12 12 1998 the Metropolitan Police in London England installed a new ReferralfCOESUlt SECRMFORN CU On 1 8 1999 Deputy Assistant Director DAD Michael A Vatis and Section Chief Kenneth M Geide briefed Dr Hamre updating him regarding captioned matter TI Referral Consult succeeded in intruding into Department of Defense DOD computer systems The intruder s continues to mainly Operate Monday through Friday during European business hours Notably the intruder s was active on 12 25 1998 a weekday but was not active on 1 7-8 1999 both U As of 1 13 1999 the intruder s continued to attempt and in some instance weekdays and Orthodox Christmas holidays in Russia On 1 13 1999 DAD Vatis hosted a meeting with senior representatives from the agencies involved in captioned matter as victims and or investigators The principals who attended the meeting were Major General John Campbell Commander JTF-CND DOD Ms Sheila Dryden Principle Director for Security and Information Operations Of ce of ann Referral Consult SEC OFORN -5- SEWFORN Peferral Coneult Mr Edward Curran Director Of ce of Counterintelligence DOE Ms Roberta Gross Inspector General NASA The purpose of this meeting was to brief the status of captioned matter and to discuss next steps The attendees Were advised ReferraiXConsult 0 that the NIPC is coordinating the investi ation and analysis of with full participation by DOD IDOE NASA Department of Justice I that numerous FBI eld of ces are investigating this matter collecting evidence primarily transnational data from the ever expanding number of victims 0 that the NIPC Cyber Emergency Support Team CEST is providing technical assistance to victim sites and eld of ces and is conducting the technical analysis of the transnational logs obtained from the victim sites Referral Consult 0 that the NIPC is working with Army and Navy to determine the feasibility and desirability for setting up an electronic honeypot to assist in attributing the intrusions - that the NIPC was considering making contact to request assistance in resolving this investigation Referral Censult SECRET ORN Referralf Consult U On 1 16 1999 investigation determined that an account belonging tol I I During an interview of by his supervisor on 1 22 1999 he admitted to illicitly downloading les his wife's account on stated that he did not know tha when he signed onto the it account to obtain a copy of the hacker tools IP address of where the tools were located Once signed 0 ate th followed the intruder's path in an effort to locate the tools as being monitored Ionlv had the system unable to locate the tools in a speci c directory subsequently began searching the intruder's directories for les and downloaded thre search anta 3 les to his machine in Ellicott City Maryland FBI Baltimore executed a residence seizing ve computers two of which were owned by employer The systems are being examined by the Computer Analysis and Response Team CART Laboratory Division U On 1 18 1999 the NIPC was noti ed from the victimized regarding a compromise at the Brookhaven National Laboratory located in Long Island New York Also compromised the same day was an Army network located in Vicksburg Mississippi The compromise was of a super computing center containing Cray and supercomputers The Army CID is determining the damage to the supercomputers site in London SEC INO RN b6 b7C b7E b7D SECRE OFORN Referral Consult J1 U On 2 25 1999 the FBI briefed captioned matter to key staff members of the House Permanent Select Co mittee or Intelligence and the Senate Select Committee for Intelligence Representatives from and DOD's Joint Task Force - Computer Network Defense CND also participated in these brie ngs U requested to be told without compromising the investigation what is going on asked Is Weldon exaggerating How do the recent attacks differ from what has happened so far Weldon says the 'electronic Pearl Harbor' of which Hamre spoke last year has gone om if to when and the'when is today would like to speak to somebody at the Pentagon on the record about this if 6 U On 2 25 1999 and again on 2 26 1999I Iattempted to telephonically contact Douglas G Perritt Deputy Director NIPC in an effort to obtain omment regarding comments attributed to Representative Weldon Perritt has not responded telephone calls U On 3 1 1999 Defense Week published an article Hamre to Hill 'We're in a Cyberwar a copy of which is attached concerning Dr Hamre's testimony The article does not mention the Russian connection but otherwise captures the gist of Dr Hamre's testimonv Referral Consult SMFORN Referral Consult U On 3 4 1999 ABC News and the web site aired a story Target Pentagon Cyber Attack Mounted Through Russia This report apparently stems om the earlier report on 3 1 1999 by Defense Week concerning Deputy Secretary of Defense John Hamre's testimony on before the House National Security Committee and the Research and Development Sub Committee Other related articles which have also been posted on the web are Currently Under Cyber Attack posted by AntiOnline on 3 4 1999 Pentagon and Hackers in Cyberwar' posted by on 3 4 1999 Pentagon hackers traced to Russia posted by CNNInteractive on 3 5 1999 Pentagon 'at war with computer hackers posted by CNNInteractive on 3 5 1999 and Electronic Desert Storm posted by AntiOnline on 3 5 1999 The New York Times and New York Times Online also posted two articles Computer Hackers are Stopped and Hacker 'Attacks' On Pentagon May Be More Like Espionage posted 3 5 1999 and 3 8 1999 respectively regarding this investigation A c0py of these articles are attached to this note Reports of information attributed to interviews of Representative Curt Weldon Chairman House National Security Committee and Deputy Secretary of Defense Hamre have also been aired periodically on CNN Headline News since 3 5 1999 The ABC story reported that the Pentagon's military computer systems are being subjected too ongoing sophisticated and organized cyber attacks And unlike in past attacks by teenage hackers of cials believe the latest series of strikes at defense networks may be a concerted and coordinated effort coming from abroad Until Friday the Defense Department had not publicly acknowledged this latest cyber war But in an interview with ABCNEWS Deputy Secretary of Defense Hamre who oversees all Pentagon computer security matters con rmed the attacks have occurred over the last several months and called them 'a major concern The ABCNEWS article noted that this is an ongoing law enforcement and intelligence matter Of cials believe some of the most sophisticated attacks are coming from Russia Federal investigators are detecting probes and attacks on US military research and technology systems including the nuclear weapons laboratories run by the Department of Energy U The 3 8 1999 New York Times article stated that In recent weeks Government of cials involved with defense have described a new kind of 'cyberwar being fought on the SEWOFORN Internet with unknown hackers unleashing relentless assaults on military computers This article noted that some computer security experts stress that while the hacker activity that the House heard about is a potential threat calling it an attack could be an overstatemen This article also noted that The Pentagon has said that as is the case with the vast majority of hacking attempts the recent probes did not result in the penetration of any computers storing sensitive information Representative Weldon is quoted as stating We know of banks who've had their re walls broken and money transferred out and they're not going to talk about it Representative Weldon noted that the private sector needs to cooperate more with the government in this area U In light of the press coverage the consensus among the participating agencies was that we had no real choice but to go directly to with a request for assistance to investigate selected intrusion activity captured during this investigation The NIPC working with the Department of Justice and other Federal Investigative Agencies I 11 7 Th MMCG described below re ared an erations nlan which was subsecuentlv approved I Referral Consult U In spite of the ABC story on 3 4 1999 intrusions continued On 3 5 1999 between 0228 and 0906 Eastern Standard Time EST there were two intrusions into LLNL one intrusion into Lawrence Berkeley Laboratory LBL and one intrusion into Argonne National 337 Laboratory passing through Jefferson County Library -10- SECRMFORN These intrusions are consistent with other intrusions associated with These intrusions are signi cant in that they occurred well after the national press releases regarding the 3373 U On 3 1 1999 the MMCG was established to strengthen the focus and assessment of the intrusion activities related to this investigation The MMCG is composed of forty personnel from the following law enforcement intelligence and Computer Emergency Response Teams CERT organizations TF -CND DISA Department of Justice DOJ Department of Energy DOE National Aeronautical and Space Administration NASA Air Force Of ce of Special Investigations AFOSI Naval criminal Investigative Service N CIS Defense Criminal Investigative Service DCIS US Army Criminal Investigative Division U SACID US Army Militarv Intelli ence USAMI Defense Intelligence Agency DIA Re ferral Consult Air Force Information Warfare Center AF IWC Navy CERT Army CERT H1251 Baltimore urasian Section National Security Division and the NIPC 133379 On 4 2 1999 a team from the MMCG deployed to Moscow Russia to work 307 this matter The team returned to Washington DC on 4 10 1999 Prior to departure the tealn Referral Consult Managers I Concurrence the investigative teams travel have been obtained from the FBI International Relations Branch IRB Legat Moscow and US Ambassador Collins U I will keep you apprised of signi cant developments regarding this matter NOT APPROPRIATE FOR 0 THE PUBLIC SECMFORN 11 -