A 28 year old man, described by US federal prosecutors as a “sophisticated and prolific computer hacker,” was arrested in Suffolk and has been indicted for the alleged hack of US Army and other government-run databases.
On Monday, Lauri Love was charged for his suspected involvement in breaching “thousands of computer systems in the United States and elsewhere” between October 2012 and this month in order to steal sensitive government data and personally identifiable information (PII), a release from the New Jersey US Attorney's Office said.
Love, who was arrested by the National Crime Agency (NCA) on Friday at his Stradishall home, has been charged under the Computer Misuse Act (CMA), which allows individuals to be arrested for launching attacks from within the UK against computers anywhere in the world, so he could face up to 20 years in prison if convicted of charges brought against him in New Jersey and Virginia. Andy Archibald, Head of the NCA's NCCU said: "This arrest is the culmination of close joint working by the NCA, Police Scotland and our international partners,” adding that, “no matter where in the world you commit cyber crime, even from remote places, you can and will be identified and held accountable for your actions.”
Prior to his arrest, he was charged in a Newark federal court with one count of accessing a government computer without authorization and one count of conspiring to do so, an indictment unsealed on Monday revealed (PDF).
That same day, a complaint filed against Love in a federal court in Virginia was unsealed (PDF). In Virginia, Love was charged with conspiracy to access and damage the protected computer of multiple US government agencies.
According to the indictment unsealed in New Jersey, "the data stolen from the government victims include PII of military servicemen and servicewomen and current and former employees of the federal government," which resulted in millions of dollars in damages.
Over the past year, Love allegedly exploited vulnerabilities in Adobe ColdFusion and carried out SQL injection attacks to hack government databases with unnamed co-conspirators in Australia and Sweden. After gaining access to the targeted networks, the group allegedly planted malware on government systems, which allowed them to maintain backdoor access to the compromised networks, court documents said.
Using the ColdFusion and SQL injection attack methods, the group is accused of stealing data from a long list of US Army systems and other agencies and organisations, which include the U.S. Department of Defence's Missile Defence Agency, the National Aeronautics and Space Administration (NASA) and the Environmental Protection Agency (EPA).
In a press release, the New Jersey US Attorney's Office published a short version of the alleged intrusions, listing the details in order of occurrence – including the organisation affected, the type of attacks used and what kind of data was stolen as a result of the hacks.
In addition to PII stored on the affected databases, information such as defence programme budgeting data and other sensitive military information was believed to have been accessed.
Love has been released on bail until February 2014.
“Security has long revolved around firewalls and other traditional defences, however, hackers have far surpassed the sophistication of these standard defences. Once successfully inside a corporate network, criminals are able to access and steal valuable and sensitive information, and as seen in this case, can plant back doors to enable access to these systems at a later date. Organisations need to take steps to proactively lock down their network, whilst also altering their mindset to the fact that it's not a question of ‘if', but rather, ‘when' they will be hacked,” comments David Higgins, professional services manager for UK & Ireland at CyberArk, adding:
“Top of mind for organisations must be the defence of privileged accounts and credentials. Routine monitoring, managing and policy creation around all internal privileged access and activity is a necessity and will limit the vast damage that can be caused by attackers. Ultimately the onus is on organisations to continually re-evaluate the security in place around these internal privileges in order to ensure that they are doing enough to protect what matters most.