US DoJ arrests four men - charges them in connection with $100m worth of hacking IP losses

Third-party vendor route for hackers grants access to US government, Microsoft and games manufacturers.

US DoJ arrests four men - charges them in connection with $100m worth of hacking IP losses
US DoJ arrests four men - charges them in connection with $100m worth of hacking IP losses

Four men - aged between 18 and 28 - have been charged in the US with breaking into the computer systems of Microsoft, the US Army and several leading games manufacturers.

According to the Department of Justice, which brought the charges against the men, they were part of an alleged international hacking ring that netted more than US$ 100 million (£62 million) in intellectual property.

The DoJ says that the four men are alleged to have stolen Xbox technology, along with Apache helicopter training software and pre-release copies of games such as Call of Duty: Modern Warfare 3. Two of the men have pleaded guilty to the charges.

SCMagazineUK.com understands that one of the men - aged 22 - is from Canada, whilst the rest are from the US.  

According to indictments from the DoJ, the men gained unauthorised access to the computer networks of Microsoft and several of its partners between January 2011 and March 2014, stealing source code, technical specifications and other information. The four men also used the intellectual property they had stolen to try and build a counterfeit version of the Xbox console before its formal release.

After the men hacked into the networks of Zombie Studios, a Seattle-based video game developer contracted by the US Army to make the training software, they then used the stolen data to access other systems.

Sarb Sembhi, a director with Storm Guidance, said there are a number of gaps in the information that the DoJ has released to the media, including a lack of detail as to how the figure of US$ 100 million in intellectual property losses has been arrived at.

"If anything, I'd say what we've seen so far about this case is sensationalist. You also have to ask, if the men were first detected back at the start of 2011, why the authorities - and the owners of the systems concerned - allowed the hacking to continue until March of this year. This doesn't make any sense," he said.

Sembhi, who is a leading light with ISACA, the not-for-profit IT security association, went on to say that the case highlights the challenges with security intellectual property on Internet-facing computer systems.

"This is particularly true in this case, as the alleged hackers appear to have used information from one system to gain access to other systems. This shows that, where security is involved, you need to identify who your partners are, and what information could potentially be misused from one system, on another computer system, and lock down that information," he explained.

Nature of hackers

Professor John Walker, CTO of Cytelligence, said he was also baffled as to how the DoJ arrived at its US$ 100 million losses figure.

"The nature of hackers leads me to believe that they did not destroy or damage the hardware. This is standard practice amongst hackers. Then there is the issue that all data tends to be backed up, so the data almost certainly didn't go missing," he said.

Professor Walker, who is also a visiting professor with the School of Computing and Informatics of Nottingham Trent University, added that, apart from the potential lost revenue from pirated software, the only other material losses that spring to mind are the costs of investigation.

"It's very difficult to see how these two sets of figures would add up to US$ 100 million. There is no real way that everyone who downloads a piece of pirated software would have purchased that software at retail price. For this reason, I think the US$ 100 million losses and damages is a figure that has been plucked form the air," he explained.

Fran Howarth, a senior security analyst with Bloor Research, said that, whilst US$ 100 million is a big round figure, after looking at the economics of the industries involved, it is probably closer to reality than you might think.

"However, that `value' only becomes a value firstly if the hackers are able to do anything with it and secondly if either Microsoft or the US Army are actually deprived of the income. That does not seem to be the case here," she said.

"Perhaps the biggest takeaway for me is that this another example of a so-called supply chain attack, similar to that of Target, where credentials of its HVAC suppliers were stolen. This shows me that neither Microsoft, nor the US Army is doing enough to address third-party vendor risk," she added.