A BusinessWeek probe of rising attacks on America's most sensitive computer networks uncovers startling security gaps
The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as "Poison Ivy" designed to suck sensitive data out of the $4 billion consulting firm's computer network.
The Pentagon hadn't sent the e-mail at all. Its origin is unknown, but the message traveled through Korea on its way to Booz Allen. Its authors knew enough about the "sender" and "recipient" to craft a message unlikely to arouse suspicion. Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China's Yangtze River.
The U.S. government, and its sprawl of defense contractors, have been the victims of an unprecedented rash of similar cyber attacks over the last two years, say current and former U.S. government officials. "It's espionage on a massive scale," says Paul B. Kurtz, a former high-ranking national security official. Government agencies reported 12,986 cyber security incidents to the U.S. Homeland Security Dept. last fiscal year, triple the number from two years earlier. Incursions on the military's networks were up 55% last year, says Lieutenant General Charles E. Croom, head of the Pentagon's Joint Task Force for Global Network Operations. Private targets like Booz Allen are just as vulnerable and pose just as much potential security risk. "They have our information on their networks. They're building our weapon systems. You wouldn't want that in enemy hands," Croom says. Cyber attackers "are not denying, disrupting, or destroying operations—yet. But that doesn't mean they don't have the capability."
When the deluge began in 2006, officials scurried to come up with software "patches," "wraps," and other bits of triage. The effort got serious last summer when top military brass discreetly summoned the chief executives or their representatives from the 20 largest U.S. defense contractors to the Pentagon for a "threat briefing." BusinessWeek has learned the U.S. government has launched a classified operation called Byzantine Foothold to detect, track, and disarm intrusions on the government's most critical networks. And President George W. Bush on Jan. 8 quietly signed an order known as the Cyber Initiative to overhaul U.S. cyber defenses, at an eventual cost in the tens of billions of dollars, and establishing 12 distinct goals, according to people briefed on its contents. One goal in particular illustrates the urgency and scope of the problem: By June all government agencies must cut the number of communication channels, or ports, through which their networks connect to the Internet from more than 4,000 to fewer than 100. On Apr. 8, Homeland Security Dept. Secretary Michael Chertoff called the President's order a cyber security "Manhattan Project."
But many security experts worry the Internet has become too unwieldy to be tamed. New exploits appear every day, each seemingly more sophisticated than the previous one. The Defense Dept., whose Advanced Research Projects Agency (DARPA) developed the Internet in the 1960s, is beginning to think it created a monster. "You don't need an Army, a Navy, an Air Force to beat the U.S.," says General William T. Lord, commander of the Air Force Cyber Command, a unit formed in November, 2006, to upgrade Air Force computer defenses. "You can be a peer force for the price of the PC on my desk." Military officials have long believed that "it's cheaper, and we kill stuff faster, when we use the Internet to enable high-tech warfare," says a top adviser to the U.S. military on the overhaul of its computer security strategy. "Now they're saying, Oh, shit.'"
Adding to Washington's anxiety, current and former U.S. government officials say many of the new attackers are trained professionals backed by foreign governments. "The new breed of threat that has evolved is nation-state-sponsored stuff," says Amit Yoran, a former director of Homeland Security's National Cyber Security Div. Adds one of the nation's most senior military officers: "We've got to figure out how to get at it before our regrets exceed our ability to react."
The military and intelligence communities have alleged that the People's Republic of China is the U.S.'s biggest cyber menace. "In the past year, numerous computer networks around the world, including those owned by the U.S. government, were subject to intrusions that appear to have originated within the PRC," reads the Pentagon's annual report to Congress on Chinese military power, released on Mar. 3. The preamble of Bush's Cyber Initiative focuses attention on China as well.
Wang Baodong, a spokesman for the Chinese government at its embassy in Washington, says "anti-China forces" are behind the allegations. Assertions by U.S. officials and others of cyber intrusions sponsored or encouraged by China are unwarranted, he wrote in an Apr. 9 e-mail response to questions from BusinessWeek. "The Chinese government always opposes and forbids any cyber crimes including hacking' that undermine the security of computer networks," says Wang. China itself, he adds, is a victim, "frequently intruded and attacked by hackers from certain countries."
Because the Web allows digital spies and thieves to mask their identities, conceal their physical locations, and bounce malicious code to and fro, it's frequently impossible to pinpoint specific attackers. Network security professionals call this digital masquerade ball "the attribution problem."
A CREDIBLE MESSAGE
In written responses to questions from BusinessWeek, officials in the office of National Intelligence Director J. Michael McConnell, a leading proponent of boosting government cyber security, would not comment "on specific code-word programs" such as Byzantine Foothold, nor on "specific intrusions or possible victims." But the department says that "computer intrusions have been successful against a wide range of government and corporate networks across the critical infrastructure and defense industrial base." The White House declined to address the contents of the Cyber Initiative, citing its classified nature.
The e-mail aimed at Booz Allen, obtained by BusinessWeek and traced back to an Internet address in China, paints a vivid picture of the alarming new capabilities of America's cyber enemies. On Sept. 5, 2007, at 08:22:21 Eastern time, an e-mail message appeared to be sent to John F. "Jack" Mulhern, vice-president for international military assistance programs at Booz Allen. In the high-tech world of weapons sales, Mulhern's specialty, the e-mail looked authentic enough. "Integrate U.S., Russian, and Indian weapons and avionics," the e-mail noted, describing the Indian government's expectations for its fighter jets. "Source code given to India for indigenous computer upgrade capability." Such lingo could easily be understood by Mulhern. The 62-year-old former U.S. Naval officer and 33-year veteran of Booz Allen's military consulting business is an expert in helping to sell U.S. weapons to foreign governments.
The e-mail was more convincing because of its apparent sender: Stephen J. Moree, a civilian who works for a group that reports to the office of Air Force Secretary Michael W. Wynne. Among its duties, Moree's unit evaluates the security of selling U.S. military aircraft to other countries. There would be little reason to suspect anything seriously amiss in Moree's passing along the highly technical document with "India MRCA Request for Proposal" in the subject line. The Indian government had just released the request a week earlier, on Aug. 28, and the language in the e-mail closely tracked the request. Making the message appear more credible still: It referred to upcoming Air Force communiqués and a "Teaming Meeting" to discuss the deal.
But the missive from Moree to Jack Mulhern was a fake. An analysis of the e-mail's path and attachment, conducted for BusinessWeek by three cyber security specialists, shows it was sent by an unknown attacker, bounced through an Internet address in South Korea, was relayed through a Yahoo! (YHOO) server in New York, and finally made its way toward Mulhern's Booz Allen in-box. The analysis also shows the code—known as "malware," for malicious software—tracks keystrokes on the computers of people who open it. A separate program disables security measures such as password protection on Microsoft (MSFT) Access database files, a program often used by large organizations such as the U.S. defense industry to manage big batches of data.
AN E-MAIL'S JOURNEY
While hardly the most sophisticated technique used by electronic thieves these days, "if you have any kind of sensitive documents on Access databases, this [code] is getting in there and getting them out," says a senior executive at a leading cyber security firm that analyzed the e-mail. (The person requested anonymity because his firm provides security consulting to U.S. military departments, defense contractors, and financial institutions.) Commercial computer security firms have dubbed the malicious code "Poison Ivy."
But the malware attached to the fake Air Force e-mail has a more devious—and worrisome—capability. Known as a remote administration tool, or RAT, it gives the attacker control over the "host" PC, capturing screen shots and perusing files. It lurks in the background of Microsoft Internet Explorer browsers while users surf the Web. Then it phones home to its "master" at an Internet address currently registered under the name cybersyndrome.3322.org.
The digital trail to cybersyndrome.3322.org, followed by analysts at BusinessWeek's request, leads to one of China's largest free domain-name-registration and e-mail services. Called 3322.org, it is registered to a company called Bentium in the city of Changzhou, an industry hub outside Shanghai. A range of security experts say that 3322.org provides names for computers and servers that act as the command and control centers for more than 10,000 pieces of malicious code launched at government and corporate networks in recent years. Many of those PCs are in China; the rest could be anywhere.
The founder of 3322.org, a 37-year-old technology entrepreneur named Peng Yong, says his company merely allows users to register domain names. "As for what our users do, we cannot completely control it," says Peng. The bottom line: If Poison Ivy infected Jack Mulhern's computer at Booz Allen, any secrets inside could be seen in China. And if it spread to other computers, as malware often does, the infection opens windows on potentially sensitive information there, too.
It's not clear whether Mulhern received the e-mail, but the address was accurate. Informed by BusinessWeek on Mar. 20 of the fake message, Booz Allen spokesman George Farrar says the company launched a search to find it. As of Apr. 9, says Farrar, the company had not discovered the e-mail or Poison Ivy in Booz Allen's networks. Farrar says Booz Allen computer security executives examined the PCs of Mulhern and an assistant who received his e-mail. "We take this very seriously," says Farrar. (Mulhern, who retired in March, did not respond to e-mailed requests for comment and declined a request, through Booz Allen, for an interview.)
Air Force officials referred requests for comment to U.S. Defense Secretary Robert M. Gates' office. In an e-mailed response to BusinessWeek, Gates' office acknowledges being the target of cyber attacks from "a variety of state and non-state-sponsored organizations to gain unauthorized access to, or otherwise degrade, [Defense Dept.] information systems." But the Pentagon declined to discuss the attempted Booz Allen break-in. The Air Force, meanwhile, would not make Stephen Moree available for comment.
The bogus e-mail, however, seemed to cause a stir inside the Air Force, correspondence reviewed by BusinessWeek shows. On Sept. 4, defense analyst James Mulvenon also received the message with Moree and Mulhern's names on it. Security experts believe Mulvenon's e-mail address was secretly included in the "blind copy" line of a version of the message. Mulvenon is director of the Center for Intelligence Research & Analysis and a leading consultant to U.S. defense and intelligence agencies on China's military and cyber strategy. He maintains an Excel spreadsheet of suspect e-mails, malicious code, and hacker groups and passes them along to the authorities. Suspicious of the note when he received it, Mulvenon replied to Moree the next day. Was the e-mail "India spam?" Mulvenon asked.
"I apologize—this e-mail was sent in error—please delete," Moree responded a few hours later.
"No worries," typed Mulvenon. "I have been getting a lot of trojaned Access databases from China lately and just wanted to make sure."
"Interesting—our network folks are looking into some kind of malicious intent behind this e-mail snafu," wrote Moree. Neither the Air Force nor the Defense Dept. would confirm to BusinessWeek whether an investigation was conducted. A Pentagon spokesman says that its procedure is to refer attacks to law enforcement or counterintelligence agencies. He would not disclose which, if any, is investigating the Air Force e-mail.
By itself, the bid to steal digital secrets from Booz Allen might not be deeply troubling. But Poison Ivy is part of a new type of digital intruder rendering traditional defenses—firewalls and updated antivirus software—virtually useless. Sophisticated hackers, say Pentagon officials, are developing new ways to creep into computer networks sometimes before those vulnerabilities are known. "The offense has a big advantage over the defense right now," says Colonel Ward E. Heinke, director of the Air Force Network Operations Center at Barksdale Air Force Base. Only 11 of the top 34 antivirus software programs identified Poison Ivy when it was first tested on behalf of BusinessWeek in February. Malware-sniffing software from several top security firms found "no virus" in the India fighter-jet e-mail, the analysis showed.
Over the past two years thousands of highly customized e-mails akin to Stephen Moree's have landed in the laptops and PCs of U.S. government workers and defense contracting executives. According to sources familiar with the matter, the attacks targeted sensitive information on the networks of at least seven agencies—the Defense, State, Energy, Commerce, Health & Human Services, Agriculture, and Treasury departments—and also defense contractors Boeing (BA), Lockheed Martin, General Electric (GE), Raytheon (RTW), and General Dynamics (GD), say current and former government network security experts. Laura Keehner, a spokeswoman for the Homeland Security Dept., which coordinates protection of government computers, declined to comment on specific intrusions. In written responses to questions from BusinessWeek, Keehner says: "We are aware of and have defended against malicious cyber activity directed at the U.S. Government over the past few years. We take these threats seriously and continue to remain concerned that this activity is growing more sophisticated, more targeted, and more prevalent." Spokesmen for Lockheed Martin, Boeing, Raytheon, General Dynamics, and General Electric declined to comment. Several cited policies of not discussing security-related matters.
The rash of computer infections is the subject of Byzantine Foothold, the classified operation designed to root out the perpetrators and protect systems in the future, according to three people familiar with the matter. In some cases, the government's own cyber security experts are engaged in "hack-backs"—following the malicious code to peer into the hackers' own computer systems. BusinessWeek has learned that a classified document called an intelligence community assessment, or ICA, details the Byzantine intrusions and assigns each a unique Byzantine-related name. The ICA has circulated in recent months among selected officials at U.S. intelligence agencies, the Pentagon, and cyber security consultants acting as outside reviewers. Until December, details of the ICA's contents had not even been shared with congressional intelligence committees.
Now, Senate Intelligence Committee Chairman John D. Rockefeller (D-W. Va.) is said to be discreetly informing fellow senators of the Byzantine operation, in part to win their support for needed appropriations, many of which are part of classified "black" budgets kept off official government books. Rockefeller declined to comment. In January a Senate Intelligence Committee staffer urged his boss, Missouri Republican Christopher "Kit" Bond, the committee's vice-chairman, to supplement closed-door testimony and classified documents with