Feeds

South Pole 'cyberterrorist' hack wasn't the first

Threat over-egged

  • alert
  • submit to reddit

Internet Security Threat Report 2014

It's a tale Tom Clancy might have written. From their lair in distant Romania, shadowy cyber extortionists penetrate the computers controlling the life support systems at a Antarctic research station, confronting the 58 scientists and contractors wintering over at the remote post with the sudden prospect of an icy death. After some twists and turns, the researchers are saved in the fourth act by an international law enforcement effort led by FBI agents wielding a controversial, but misunderstood, federal surveillance law.

That's the story behind an intrusion into the network at the National Science Foundation's Amundsen-Scott South Pole Station in May of last year, as it's been told by the FBI and the US Attorney General. But did it actually happen that way?

The attack itself was real enough. On May 3rd, network administrators for US Antarctic Program and the South Pole Station received an anonymous e-mail with the subject line "South Pole Station Servers HACKED." "This is a message from earth to earth, do you copy?," the -mail began. The message demanded money, and threatened to sell information stolen from the network "to another country," according to the FBI. To establish their bona fides, the intruders attached a sample of data lifted from the South Pole network.

Network administrators quickly took the compromised system offline and began forensics, while FBI computer crime experts traced the demand letter to a cyber café in Romania - a country that exports hacker extortion schemes the way Nigeria produces Internet advance fee scams. Agents zeroed in on two suspects who were already targets of FBI investigations in Mobile, Alabama and Los Angeles, California for similar protection rackets, and the pair were quickly rolled up by Romanian law enforcement. The matter "is now pending prosecution in Romania," says FBI spokesman Joe Parris.

But did the intruders really endanger the lives of the 58 scientists and contractors? Could they have shut off the heat at a time of year when aircraft don't dare to land for anything short of a medical emergency? The most dramatic element of the South Pole story was absent from the FBI's first public release on the attack in July of last year. That account - which has since been scrubbed from the FBI's website - underscored the importance of the Internet to scientists living at the South Pole station, describing connectivity as "a lifeline" to the outside world. But that's as far as it went.

The hacked life support system first crept into the tale last February, in testimony by FBI cyber chief Keith Lourdeau to a Senate subcommittee conducting hearings on "cyber terrorism." "During May, the temperature at the South Pole can get down to 70 degrees below zero Fahrenheit; aircraft cannot land there until November due to the harsh weather conditions," says Lourdeau. "The compromised computer systems controlled the life support systems for the 50 scientists." (The FBI's Parris said he hadn't seen Lourdeau's Senate testimony, and was therefore not able to comment on it.)

Lourdeau took pains in his testimony to point out that the FBI still has not seen anything that qualifies as cyber terrorism under the bureau's definition of the term. But last month Attorney General John Ashcroft showed less reticence in describing the South Pole hacks as "a cyber-terrorist threat" in a 29-page Justice Department report meant to highlight, through dozens of examples, the importance of the controversial USA Patriot Act, which he claimed had aided agents tracking the alleged cyber terrorists' email.

"The hacked computer ... controlled the life support systems for the South Pole Station that housed 50 scientists 'wintering over' during the South Pole's most dangerous season," reads the Justice Department report. "Due in part to the quick response allowed by [the USA Patriot Act], FBI agents were able to close the case quickly with the suspects' arrest before any harm was done to the South Pole Research Station."

Memo: 'No Critical System Corrupted'

When Newsweek examined the Justice report last month, the NSF disputed the role the USA Patriot Act played in the Romanian investigation. But spokesman Peter West says the Foundation will not otherwise not comment on the South Pole intrusion. Justice Department spokesman Mark Corallo didn't return a phone call inquiring about the description of events in the Justice report.

But an internal assessment of the attack by NSF senior staff, intended to explain the intrusion to the NSF's inspector general and obtained by SecurityFocus under the Freedom of Information Act, appears at odds with the Justice Department's version. For starters, by the time the suspects were arrested, the compromised system had already been secured -- the arrests were apparently not responsible for preventing harm to the station.

And as described in the memo, released as a partially-redacted draft, the incident was something less than a cyber terror attack to begin with, and prompted a measured response from network administrators. "Given the fact that no financial records or systems were compromised, no safety or loss of life was threatened, and no critical system corrupted" by the Romanian hackers, "we need to balance legitimate security needs with the legitimate needs of our scientists at the Pole," the memo reads.

The assessment noted that, at the time of the Romanian intrusion, the South Pole's network was less secure than other NSF sites "purposely to allow for our scientists at this remotest of locations to exchange data under difficult circumstances."

Indeed, the station was no stranger to hack attacks when the would-be extortionists struck. Other documents show that less than two months earlier the NSF's security team was plunged into a similar fire drill when a computer intruder named "PoizonB0x" penetrated the primary and backup data acquisition servers for a radio telescope at the station called the Degree Angular Scale Interferometer (DASI), which measures properties of the cosmic microwave background radiation -- the afterglow of the Big Bang. The intruder, rated a prolific website defacer by tracking site Zone-H, used his moment of cosmic access to erect a webpage on the servers proclaiming, "I love my angel Laura."

PoizonB0x's Antarctic love letter apparently failed to spur a change in the station's cyber security posture. The Romanian extortion attempt did, and on May 12th of last year the NSF's director of polar programs, Karl Erb, issued a memo ambitiously directing all "science, operations and personal use systems connected to the South Pole station network to identify and correct all known vulnerabilities." Erb also announced a tightening of the firewall rules for the network. "This aligns the security posture at South Pole with the other stations," he wrote.

Copyright © 2004, SecurityFocus logo

Intelligent flash storage arrays

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.