The United States District Court in New Jersey is accusing British citizen Lauri Love, and others not named, of conspiring to and illegally accessing various government and military networks. The purpose of these attacks, prosecutors said, was to steal vast stores of personally identifiable and other non-public information and to disrupt the operations and infrastructure of U.S. government networks.
Love and co-conspirators are accused of seeking out vulnerabilities in government and military networks with automated vulnerability scanning tools and exploiting those bugs in order to access the systems of their victims at that time and to implant backdoors to permit access in the future. They allegedly stole personally identifiable information (PII) belonging to military service people and current and former government employees, causing millions of dollars in damages, according to an indictment acquired by SC Magazine.
In Internet Relay Chat logs acquired by investigators, Love – allegedly operating under the handle “peace” – notes that these vulnerabilities could be leveraged to acquire “real confidential [stuff].”
Victims of the alleged conspiracy include, the U.S. Army, Environmental Protection Agency (EPA), NASA, Engineer Research and Development Center (ERDC), Plans and Analysis Integration Office (PAIO), Strategic Studies Institute (SSI), Army Network Enterprise Technology Command (NETCOM), Army Contract Command (ACC), Missile Defense Agency (MDA), and Federal Facilities Environmental Stewardship and Compliance Assistance Center (FedCenter).
Love’s attack methods are said to have included SQL injection attacks, targeting vulnerabilities Adobe’s ColdFusion development platform, and infecting victim machines with backdoor malware designed to provide indefinite access to sensitive networks. Prosecutors claim that Love shared the vulnerabilities he found, his attack methods, and methods for exfiltrating and making sense of stolen data with his co-conspirators so they too could perform similar attacks and steal data.
IRC logs included in the indictment appear to demonstrate that Love’s actions were malicious and deliberate.
“[Co-conspirator two], you have no idea how much we can [mess] with the U.S. government if we wanted to,” Love is alleged to have said. “This … stuff is really sensitive.”
Love would go onto to claim that the information is “…basically every piece of information you’d need to do full identity theft on any employee or contractor for the [redacted government agency].”
According to prosecutors, the accused also used their IRC channel to coordinate the promotion of their attacks and the data they stole via various social networks, including Twitter.
In an attempt to cover their tracks, the alleged conspirators routed their traffic through proxy servers and further anonymized themselves using the Tor network. Prosecutors claim that the accused also attempted to shield themselves from investigators by communicating on secure IRC channels and using multiple handles, all of which appears to have been evident in the IRC logs.
Specifically, Love and his alleged conspirators are accused exposing a ColdFusion vulnerability in order to access ERDC servers, stealing a password property file there, which they then allegedly used to determine the server’s administrative password and view sensitive information.
In the NETCOM attack, prosecutors says Love and company deployed a SQL injection attack that resulted in the theft of PII from thousands of military personnel stationed at the Forth Monmouth, New Jersey military installation.
In the ACC attack, the accused conspirators allegedly accessed competitive acquisition and other related information after launching a SQL injection attack. They are said to have taken natural resource management and other sensitive information from an Army Corps server by deploying a similar attack and exploiting ColdFusion vulnerabilities. Prosecutors claimed they again used ColdFusion bugs to compromise PAIO servers and steal budgetary information stored there and to install malware on ERDC, USMDA, FedCenter, NASA and SSI servers.