Home > Uncategorized > A Short and Shortsighted History of Hacks: Part 1 – The Desert Storm/Desert Shield Attacks

A Short and Shortsighted History of Hacks: Part 1 – The Desert Storm/Desert Shield Attacks

A few days ago I discovered a Web posting with a fascinating title, “A short history of hacks,” on the Computerworld site. A nicely written piece, it covered events such as the Morris and ILoveYou worms, as well as the distributed denial of service attacks in February, 2000 that ended up being so costly for companies such as ZDnet, Amazon, e-trade and eBay. Amazingly, however, this history did not mention two of the most dramatic and severe series of cyber attacks that have ever occurred, the Operation Desert Storm/Desert Shield attacks against the US military in 1990 and 1991 and the widespread Internet sniffer attacks between 1994 and 1996 (to be covered in the my next blog entry).

The Operation Desert Storm/Desert Shied attacks occurred at a time when the Internet was still very young and not all that widely used. You may recall that soon after the Morris Worm struck in 1988, the US Department of Defense (DoD) split the Arpanet into two separate networks, the NSFnet (later to be called “the Internet”) and the Milnet. The DoD’s motivation was to protect the military’s main unclassified network from events such as widespread worm infections originating from the public network. At the time, the NSFnet the Milnet were only two of a number of wide area networks used for long haul communications. Among the other networks that existed at the time were NASA’s SPAN network, IBM’s BITnet, and the Department of Energy’s ESnet, The DoD did not want to totally isolate the Milnet, however. Accordingly, gateway machines that enabled traffic to get to and from networks such as ESnet were put in place. What the DOD did not anticipate was the possibility that attackers might be able to gain unauthorized access to hosts in other networks and then go right through the gateways to gain unauthorized access to Milnet hosts.

The first indications of the widespread break-ins into Milnet hosts were from log entries in Department of Energy (DoE) machines. The attackers broke into DoE machines using what now seems like very rudimentary attack methods, including password guessing (or sometimes even using null passwords), exploiting a VMS vulnerability in the SYSMAN utility, exploiting trust relationships between hosts, and a few others. Once they gained access to a host, they often already had super-user privileges, but if they did not, they exploited other vulnerabilities to take complete control of the victim systems. They then installed back doors. By breaking into hosts at DoE sites such as Los Alamos National Laboratory, Lawrence Livermore National Laboratory, Fermi National Laboratory, Sandia National Laboratory, and Brookhaven National Laboratory, the attackers had more than enough springboards from which they could launch attacks against Milnet hosts at military centers such as US Navy Headquarters, the Pacific Fleet Command,, Rome Air Force Base, Kelly Air Force Base, the Pentagon, and many more, which they did successfully day after day for well over a year.

Once the attackers broke into DoD hosts, they used commands such as grep in Unix systems to discover files that contained the information they desired: information about military equipment, weapons systems, troop and warship movements (especially in connection with Operations Desert Storm and Desert Shield) and much more—they often even searched for “nuclear!” The attackers stole so much information that they quickly filled the hard drives of their own machines. They then resorted to downloading huge amounts of information onto systems at the University of Chicago and Bowling Green University.

Incident response was a very new function when these attacks occurred. The DoE’s Computer Incident Advisory Capability (CIAC) first noticed the attacks and reported them to officials at both DoE and DoD. CERT/CC also received reports of attacks with similar patterns from Internet users. At one point the DoD, DoE, U.S. Navy’s incident response team, the National Security Agency, the US State Department, the National Institute of Standards and Technology (NIST), the Central Intelligence Agency, the Air Force Office of Special Investigations, Army Intelligence, the Federal Bureau of Investigation, CIAC and CERT/CC were involved. Cooperation and coordination were extremely difficult to obtain, but despite many obstacles (most of them political and bureaucratic in nature), these entities managed to conduct reasonably successful investigation efforts.

The gang of attackers was led by a rather harsh ringleader who taught his understudies how to hack into systems in return for his receiving the information they were able to glean. I knew the names of all the principal attackers, and because of a successful CIAC effort to tap their electronic talk sessions, I even learned where they lived at the time. The attacks, which originated from the Netherlands, were ostensibly financially motivated. The ringleader wanted to find a buyer for the information, but to the best of my knowledge he was never successful in doing so. The State Department pressed the Netherlands to charge the identified individuals, but this country declined to do so on the basis that at the time, breaking into systems was not a against Dutch law. To at least some degree, however, justice was served—the ringleader reportedly ended up going to prison for credit card fraud.

The news of the attacks did not reach the public until John Markoff of the New York Times published a front page story describing the attacks in the fall of 1990. How he pieced together the bits and pieces of information that he had amassed was simply amazing. Additionally, about the same time ABC News ran a lead story about the attacks. Later, NIST had me publish an unclassified account of the attacks.

In all, little changed as a result of the attacks. The DoD and DoE did not really improve their cyber security, nor did US legislators propose or pass any national legislation that required better security within the government. As you undoubtedly know, cyber security within the government has improved somewhat over time, but it still has a long way to go. If powers-that-be within the US government had taken the lessons learned from the Desert Storm/Desert Shield attacks more seriously, however, the government would without question be way ahead of where it is now.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.