Fort Monmouth data among alleged British hacker’s data haul
The (Hackensack, N.J.) Record
Federal authorities in New Jersey have charged an alleged hacker from Great Britain with stealing massive amounts of confidential data from the Army and the U.S. Missile Defense Agency, including the personal information of servicemen and women.
The computer network breaches allegedly orchestrated by Lauri Love, 28, of Stradishall, England, resulted in millions of dollars in damages to the government, prosecutors alleged.
“Lauri Love and conspirators hacked into thousands of networks, including many belonging to the United States military and other government agencies,” U.S. Attorney Paul J. Fishman said in a statement Monday.
“As part of their alleged scheme, they stole military data and personal identifying information belonging to servicemen and women,” Fishman said. “Such conduct endangers the security of our country and is an affront to those who serve.”
A two-count indictment, unsealed in federal court in Newark, accused Love of accessing a U.S. department or agency computer without authorization and conspiring to do the same.
Love was arrested at his residence on Friday by authorities in the United Kingdom, where he is the subject of an ongoing investigation by the National Crime Agency.
A spokesman for Fishman said it was too early to say when Love, a British citizen, might be extradited to the United States.
An investigation led by the U.S. Army Criminal Investigation Command and the FBI in Newark revealed that over the past year Love and fellow conspirators allegedly infiltrated the computer systems of the Army, the Missile Defense Agency, the Environmental Protection Agency and NASA.
The indictment described Love as a “sophisticated and prolific hacker” who worked with at least two co-conspirators in Australia and another in Sweden.
They planned and executed the attacks in secure online chat forums, frequently using more than one screen name and changing it often to conceal their identities, prosecutors said. They also used proxy servers to disguise the Internet address from which their attacks originated.
Once a government network was infiltrated, Love and the conspirators placed malicious code, or malware, on the system that created a “back door” through which they could return at a later date and steal confidential data, prosecutors said.
The stolen data included the personal identifying information of thousands of people, as well as other non-public material, according to the indictment.
In one chat session detailed in the indictment, Love, using the online moniker “peace,” discussed the data he had stolen from a government agency.
“This … stuff is really sensitive,” he said. “It’s basically every piece of information you’d need to do full identity theft on any employee or contractor for the [agency].”
One attack, aimed at the Army Network Enterprise Technology Command, resulted in the theft of personal identifying information of more than 1,000 people, including military personnel stationed at Fort Monmouth in Monmouth County, the indictment said.
Another attack, launched from a proxy computer server in Romania, targeted a research center of the U.S. Army Corps of Engineers and netted data about the planned demolition and disposal of military facilities, the indictment said.
Other attacks netted non-public competitive acquisition bid data, defense program budgeting data and natural resource management information. There are no allegations in the indictment of sensitive, operational military secrets being stolen, authorities said.
In a separate criminal complaint, unsealed Monday in Alexandria, Va., Love is accused of conspiring to access and damage the computer networks of the Department of Health and Human Services, the Department of Energy, an FBI-run regional computer forensics laboratory, and the U.S. Sentencing Commission. During one of the breaches, a video criticizing the sentencing guidelines for Internet-related crimes was posted to the commission’s website, the complaint said.
If convicted, Love faces up to five years in prison and a $250,000 fine or twice the gain or loss from the offense — whichever is greater — on each of the two counts with which he is charged.