South Pole 'cyberterrorist' hack wasn't the first

Threat over-egged

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

It's a tale Tom Clancy might have written. From their lair in distant Romania, shadowy cyber extortionists penetrate the computers controlling the life support systems at a Antarctic research station, confronting the 58 scientists and contractors wintering over at the remote post with the sudden prospect of an icy death. After some twists and turns, the researchers are saved in the fourth act by an international law enforcement effort led by FBI agents wielding a controversial, but misunderstood, federal surveillance law.

That's the story behind an intrusion into the network at the National Science Foundation's Amundsen-Scott South Pole Station in May of last year, as it's been told by the FBI and the US Attorney General. But did it actually happen that way?

The attack itself was real enough. On May 3rd, network administrators for US Antarctic Program and the South Pole Station received an anonymous e-mail with the subject line "South Pole Station Servers HACKED." "This is a message from earth to earth, do you copy?," the -mail began. The message demanded money, and threatened to sell information stolen from the network "to another country," according to the FBI. To establish their bona fides, the intruders attached a sample of data lifted from the South Pole network.

Network administrators quickly took the compromised system offline and began forensics, while FBI computer crime experts traced the demand letter to a cyber café in Romania - a country that exports hacker extortion schemes the way Nigeria produces Internet advance fee scams. Agents zeroed in on two suspects who were already targets of FBI investigations in Mobile, Alabama and Los Angeles, California for similar protection rackets, and the pair were quickly rolled up by Romanian law enforcement. The matter "is now pending prosecution in Romania," says FBI spokesman Joe Parris.

But did the intruders really endanger the lives of the 58 scientists and contractors? Could they have shut off the heat at a time of year when aircraft don't dare to land for anything short of a medical emergency? The most dramatic element of the South Pole story was absent from the FBI's first public release on the attack in July of last year. That account - which has since been scrubbed from the FBI's website - underscored the importance of the Internet to scientists living at the South Pole station, describing connectivity as "a lifeline" to the outside world. But that's as far as it went.

The hacked life support system first crept into the tale last February, in testimony by FBI cyber chief Keith Lourdeau to a Senate subcommittee conducting hearings on "cyber terrorism." "During May, the temperature at the South Pole can get down to 70 degrees below zero Fahrenheit; aircraft cannot land there until November due to the harsh weather conditions," says Lourdeau. "The compromised computer systems controlled the life support systems for the 50 scientists." (The FBI's Parris said he hadn't seen Lourdeau's Senate testimony, and was therefore not able to comment on it.)

Lourdeau took pains in his testimony to point out that the FBI still has not seen anything that qualifies as cyber terrorism under the bureau's definition of the term. But last month Attorney General John Ashcroft showed less reticence in describing the South Pole hacks as "a cyber-terrorist threat" in a 29-page Justice Department report meant to highlight, through dozens of examples, the importance of the controversial USA Patriot Act, which he claimed had aided agents tracking the alleged cyber terrorists' email.

"The hacked computer ... controlled the life support systems for the South Pole Station that housed 50 scientists 'wintering over' during the South Pole's most dangerous season," reads the Justice Department report. "Due in part to the quick response allowed by [the USA Patriot Act], FBI agents were able to close the case quickly with the suspects' arrest before any harm was done to the South Pole Research Station."

Memo: 'No Critical System Corrupted'

When Newsweek examined the Justice report last month, the NSF disputed the role the USA Patriot Act played in the Romanian investigation. But spokesman Peter West says the Foundation will not otherwise not comment on the South Pole intrusion. Justice Department spokesman Mark Corallo didn't return a phone call inquiring about the description of events in the Justice report.

But an internal assessment of the attack by NSF senior staff, intended to explain the intrusion to the NSF's inspector general and obtained by SecurityFocus under the Freedom of Information Act, appears at odds with the Justice Department's version. For starters, by the time the suspects were arrested, the compromised system had already been secured -- the arrests were apparently not responsible for preventing harm to the station.

And as described in the memo, released as a partially-redacted draft, the incident was something less than a cyber terror attack to begin with, and prompted a measured response from network administrators. "Given the fact that no financial records or systems were compromised, no safety or loss of life was threatened, and no critical system corrupted" by the Romanian hackers, "we need to balance legitimate security needs with the legitimate needs of our scientists at the Pole," the memo reads.

The assessment noted that, at the time of the Romanian intrusion, the South Pole's network was less secure than other NSF sites "purposely to allow for our scientists at this remotest of locations to exchange data under difficult circumstances."

Indeed, the station was no stranger to hack attacks when the would-be extortionists struck. Other documents show that less than two months earlier the NSF's security team was plunged into a similar fire drill when a computer intruder named "PoizonB0x" penetrated the primary and backup data acquisition servers for a radio telescope at the station called the Degree Angular Scale Interferometer (DASI), which measures properties of the cosmic microwave background radiation -- the afterglow of the Big Bang. The intruder, rated a prolific website defacer by tracking site Zone-H, used his moment of cosmic access to erect a webpage on the servers proclaiming, "I love my angel Laura."

PoizonB0x's Antarctic love letter apparently failed to spur a change in the station's cyber security posture. The Romanian extortion attempt did, and on May 12th of last year the NSF's director of polar programs, Karl Erb, issued a memo ambitiously directing all "science, operations and personal use systems connected to the South Pole station network to identify and correct all known vulnerabilities." Erb also announced a tightening of the firewall rules for the network. "This aligns the security posture at South Pole with the other stations," he wrote.

Copyright © 2004, SecurityFocus logo

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story


Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.