In July 2013, a hacker calling himself “Peace” uploaded a malicious string of code into computers at the US Department of Energy, the agency that oversees the American nuclear weapons programme, its power production and other vital national interests.
Peace hit the jackpot, gaining access to a trove of confidential personal data — including the names of employees, their social security numbers and their bank account details.
“YASSSS,” he typed in an online chatroom. “I AM INVINCIBLE!!! Finally shelled mis.doe.gov after over 24h.”
Prosecutors allege “Peace” is Lauri Love, a 30-year old resident of Suffolk, England. With relative ease, he and his unnamed co-conspirators gained “unlimited access” to the system and ran more than 600 queries on the DoE’s computers. The alleged hackers accessed the personal information of over 104,000 current and former DoE employees by breaking in through a known — but unpatched — vulnerability in an Adobe software programme called ColdFusion.
Mr Love allegedly used the same tactic to infiltrate the Federal Reserve, Nasa, the Environmental Protection Agency, the US Army and the US Missile Defense Agency, according to three separate criminal charges. The DoE breach was one of the biggest violations of government employee data at the time — and the department’s watchdog says it could have been prevented.
“The vulnerability exploited by the attacker was specifically identified by [US software company Adobe] in January 2013,” Gregory Friedman, the DoE’s inspector-general, concluded after investigating the hack.
While serious, the breach at the DoE can hardly be called rare. Even as the US technology sector leads the world, the US government’s computer systems — including those of agencies that handle information crucial to national security — are woefully unprepared for the frequency and sophistication of today’s cyber attackers.
US agencies’ vulnerabilities have been hiding in plain sight. Last week the Obama administration admitted that hackers stole the private information of about 25m individuals through two hacks at the Office of Personnel Management, the government’s human resources arm. The second breach was the largest ever cyber attack on a US government agency. The OPM’s chief resigned last Friday.
Lawmakers see the rocketing number of hacks as evidence of a new cold war — one which the US is losing. Whether the attacker is a nation — China is thought to have been behind the OPM hack — or a small group like Mr Love and his associates, the enemy is often more sophisticated and more nimble than the US government.
Mr Love, who has been charged by prosecutors in New York, New Jersey and Virginia but who has not yet been sought for extradition, could not be reached for comment.