Hackers linked to China stole Los Alamos documents

[InfoSec News <isn () C4I ORG>]

http://www.washingtontimes.com/national/default-20008321179.htm

Bill Gertz
THE WASHINGTON TIMES

Published 8/3/00

Hackers suspected of working for a Chinese government institute in
Beijing broke into a computer system at Los Alamos National Laboratory
and pilfered large amounts of sensitive information, including
documents containing the word "nuclear," The Washington Times has
learned.

The incident involving sensitive but unclassified data was uncovered
by a National Security Agency computer analyst early last year but
kept secret until now, said U.S. intelligence officials who spoke on
the condition of anonymity.

"They [the Chinese] obtained the equivalent of a stack of documents 3
feet high," one official said.

Officials said the case highlights the fact that foreign governments
continue to seek U.S. nuclear weapons information. They said it is a
clear example of Chinese government-sponsored computer spying
techniques, which Beijing's military has cultivated for several years.

Disclosure of the incident is the latest example of Beijing's covert
efforts to obtain U.S. nuclear secrets.

Fired Los Alamos scientist Wen Ho Lee is awaiting trial on charges he
mishandled sensitive nuclear weapons secrets. His arrest grew out of a
major investigation that revealed China had obtained secrets on every
deployed warhead in the U.S. nuclear arsenal.

Officials said the Chinese hackers disguised their attack by entering
a Los Alamos "file transfer protocol" site, or FTP, on the Internet
through several computer system gateways at U.S. universities. Such
FTP sites often are used to store information.

The incident took place in late 1998 or early last year, the officials
said.

Using electronic tracing techniques developed by the National Security
Agency, the analyst tracked the intruder back to a research institute
in Beijing. Under China's communist system, all research institutes
are part of the government and have been used in the past for spying
activities.

The officials did not provide further details or identify the Chinese
institute.

Sensitive, but not secret, data stored on Los Alamos computers until
recently included information dubbed "unclassified," "controlled
nuclear information," "official use only," "naval nuclear propulsion
information," "export controlled information" and "corporate
proprietary data."

A counterintelligence official said that, in general, computer-based
information lost to foreign spies from Department of Energy
facilities, including Los Alamos, has been extremely valuable to
foreign weapons programs.

The data helped foreign governments save time and money on their
nuclear weapons programs while undermining U.S. national security and
economic competitiveness, the official said.

China is one of the most aggressive foreign powers seeking to glean
data on nuclear weapons via computer from U.S. weapons laboratories,
the official said. The Chinese are known to use several forms of
computer attacks to gain access to the information.

Chinese spies also have targeted Los Alamos for documents related to
verifying compliance with arms control agreements, including the START
arms pact and a chemical weapons agreement.

Intelligence officials said Chinese research institutes made nearly 50
attempts to obtain two documents during the late 1990s.

In a 1996 case, Army Pvt. Eric Jenott passed information on Pentagon
computer systems to a Chinese national working at the Energy
Department's Oak Ridge facility. He was convicted of computer fraud.

In another case, a Chinese scientist working at the Brookhaven
National Laboratory on Long Island, N.Y., was caught sending technical
notes to the Chinese Academy of Sciences, a government entity in
charge of weapons development programs.

A recent report to Congress on Chinese spying, produced jointly by the
FBI and CIA, made no mention of the covert computer attack. The report
said the Chinese gather science and technology information through
U.S. national laboratories and acquire "highly valued, yet
unclassified information."

National Security Agency spokesman Fred Lash declined to comment on
the agency's role in tracking the Chinese computer attack.

However, Los Alamos spokesman Jim Danneskiold said the laboratory was
under widespread computer attack during the time in question, although
security officials have no record of a specific incident involving
Chinese downloading information from an FTP site.

"Certainly there were massive attacks around that time as part of
Moonlight Maze," Mr. Danneskiold said, using the Pentagon code name
for a series of worldwide computer assaults, primarily against Defense
Department computers.

Mr. Danneskiold suggested that the Chinese intrusion in question might
not have been detected because security officials at Los Alamos were
in the process of installing a security "fire wall" system designed to
keep out unauthorized computer intruders.

There is "an enormous amount of Chinese activity hitting our green,
open sites," Mr. Danneskiold said. "We're talking Web hits, and it
happens continuously."

The computer systems at the laboratory were partitioned during the
period in question by creating a "green" system for open access to all
Internet users, a limited-entry "yellow" site for remote access to
sensitive but unclassified information and a classified "red" system
closed to unauthorized users.

"Yeah, sure, people have gotten into the unclassified system," Mr.
Danneskiold said. "Our unclassified site has been hacked."

During one 10-month period in the late 1990s, officials said,
intelligence agencies recorded 792 computer security incidents,
including 324 attacks from outside the United States.

The attacks included efforts to gain password files, probes of
computer defenses and scans of system vulnerabilities to intrusion.

Several computer systems have been compromised by intruders who gained
"root" access to Energy Department computer systems. Such access
allows hackers to gain complete access and total control over computer
systems that permit them to see all information on the systems, the
officials said.

Many of the attacks are from foreign intelligence services seeking
restricted nuclear information or other sensitive material,
particularly on science and technology.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".