[ISN] South Pole 'cyberterrorist' hack wasn't the first

InfoSec News isn at c4i.org
Fri Aug 20 04:26:08 EDT 2004

Forwarded from: William Knowles <wk at c4i.org>


By Kevin Poulsen, SecurityFocus
19th August 2004 

It's a tale Tom Clancy might have written. From their lair in distant
Romania, shadowy cyber extortionists penetrate the computers
controlling the life support systems at a Antarctic research station,
confronting the 58 scientists and contractors wintering over at the
remote post with the sudden prospect of an icy death. After some
twists and turns, the researchers are saved in the fourth act by an
international law enforcement effort led by FBI agents wielding a
controversial, but misunderstood, federal surveillance law.

That's the story behind an intrusion into the network at the National
Science Foundation's Amundsen-Scott South Pole Station in May of last
year, as it's been told by the FBI and the US Attorney General. But
did it actually happen that way?

The attack itself was real enough. On May 3rd, network administrators
for US Antarctic Program and the South Pole Station received an
anonymous e-mail with the subject line "South Pole Station Servers
HACKED." "This is a message from earth to earth, do you copy?," the
-mail began. The message demanded money, and threatened to sell
information stolen from the network "to another country," according to
the FBI. To establish their bona fides, the intruders attached a
sample of data lifted from the South Pole network.

Network administrators quickly took the compromised system offline and
began forensics, while FBI computer crime experts traced the demand
letter to a cyber café in Romania - a country that exports hacker
extortion schemes the way Nigeria produces Internet advance fee scams.  
Agents zeroed in on two suspects who were already targets of FBI
investigations in Mobile, Alabama and Los Angeles, California for
similar protection rackets, and the pair were quickly rolled up by
Romanian law enforcement. The matter "is now pending prosecution in
Romania," says FBI spokesman Joe Parris.

But did the intruders really endanger the lives of the 58 scientists
and contractors? Could they have shut off the heat at a time of year
when aircraft don't dare to land for anything short of a medical
emergency? The most dramatic element of the South Pole story was
absent from the FBI's first public release on the attack in July of
last year. That account - which has since been scrubbed from the FBI's
website [1] - underscored the importance of the Internet to scientists
living at the South Pole station, describing connectivity as "a
lifeline" to the outside world. But that's as far as it went.

The hacked life support system first crept into the tale last
February, in testimony by FBI cyber chief Keith Lourdeau to a Senate
subcommittee conducting hearings on "cyber terrorism." "During May,
the temperature at the South Pole can get down to 70 degrees below
zero Fahrenheit; aircraft cannot land there until November due to the
harsh weather conditions," says Lourdeau. "The compromised computer
systems controlled the life support systems for the 50 scientists."  
(The FBI's Parris said he hadn't seen Lourdeau's Senate testimony, and
was therefore not able to comment on it.)

Lourdeau took pains in his testimony to point out that the FBI still
has not seen anything that qualifies as cyber terrorism under the
bureau's definition of the term. But last month Attorney General John
Ashcroft showed less reticence in describing the South Pole hacks as
"a cyber-terrorist threat" in a 29-page Justice Department report
meant to highlight, through dozens of examples, the importance of the
controversial USA Patriot Act, which he claimed had aided agents
tracking the alleged cyber terrorists' email.

"The hacked computer ... controlled the life support systems for the
South Pole Station that housed 50 scientists 'wintering over' during
the South Pole's most dangerous season," reads the Justice Department
report. "Due in part to the quick response allowed by [the USA Patriot
Act], FBI agents were able to close the case quickly with the
suspects' arrest before any harm was done to the South Pole Research

Memo: 'No Critical System Corrupted'

When Newsweek examined the Justice report last month, the NSF disputed
the role the USA Patriot Act played in the Romanian investigation. But
spokesman Peter West says the Foundation will not otherwise not
comment on the South Pole intrusion. Justice Department spokesman Mark
Corallo didn't return a phone call inquiring about the description of
events in the Justice report.

But an internal assessment of the attack by NSF senior staff, intended
to explain the intrusion to the NSF's inspector general and obtained
by SecurityFocus under the Freedom of Information Act, appears at odds
with the Justice Department's version. For starters, by the time the
suspects were arrested, the compromised system had already been
secured -- the arrests were apparently not responsible for preventing
harm to the station.

And as described in the memo, released as a partially-redacted draft,
the incident was something less than a cyber terror attack to begin
with, and prompted a measured response from network administrators.  
"Given the fact that no financial records or systems were compromised,
no safety or loss of life was threatened, and no critical system
corrupted" by the Romanian hackers, "we need to balance legitimate
security needs with the legitimate needs of our scientists at the
Pole," the memo reads.

The assessment noted that, at the time of the Romanian intrusion, the
South Pole's network was less secure than other NSF sites "purposely
to allow for our scientists at this remotest of locations to exchange
data under difficult circumstances."

Indeed, the station was no stranger to hack attacks when the would-be
extortionists struck. Other documents show that less than two months
earlier the NSF's security team was plunged into a similar fire drill
when a computer intruder named "PoizonB0x" penetrated the primary and
backup data acquisition servers for a radio telescope at the station
called the Degree Angular Scale Interferometer (DASI), which measures
properties of the cosmic microwave background radiation -- the
afterglow of the Big Bang. The intruder, rated a prolific website
defacer by tracking site Zone-H, used his moment of cosmic access to
erect a webpage on the servers proclaiming, "I love my angel Laura."

PoizonB0x's Antarctic love letter apparently failed to spur a change
in the station's cyber security posture. The Romanian extortion
attempt did, and on May 12th of last year the NSF's director of polar
programs, Karl Erb, issued a memo ambitiously directing all "science,
operations and personal use systems connected to the South Pole
station network to identify and correct all known vulnerabilities."  
Erb also announced a tightening of the firewall rules for the network.  
"This aligns the security posture at South Pole with the other
stations," he wrote.

[1] http://www.landfield.com/isn/mail-archive/2003/Jul/0092.html 

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

More information about the ISN mailing list