, SecurityFocus 2004-08-18
It's a tale Tom Clancy might have written. From their lair in distant Romania, shadowy cyber extortionists penetrate the computers controlling the life support systems at an Antarctic research station, confronting the 58 scientists and contractors wintering over at the remote post with the sudden prospect of an icy death. After some twists and turns, the researchers are saved in the fourth act by an international law enforcement effort led by FBI agents wielding a controversial, but misunderstood, federal surveillance law.
The attack itself was real enough. On May 3rd, network administrators for U.S. Antarctic Program and the South Pole Station received an anonymous e-mail with the subject line "South Pole Station Servers HACKED." "This is a message from earth to earth, do you copy?," the e-mail began. The message demanded money, and threatened to sell information stolen from the network "to another country," according to the FBI. To establish their bona fides, the intruders attached a sample of data lifted from the South Pole network.
Network administrators quickly took the compromised system offline and began forensics, while FBI computer crime experts traced the demand letter to a cyber café in Romania -- a country that exports hacker extortion schemes the way Nigeria produces Internet advance fee scams. Agents zeroed in on two suspects who were already targets of FBI investigations in Mobile, Alabama and Los Angeles, California for similar protection rackets, and the pair were quickly rolled up by Romanian law enforcement. The matter "is now pending prosecution in Romania," says FBI spokesman Joe Parris.
But did the intruders really endanger the lives of the 58 scientists and contractors? Could they have shut off the heat at a time of year when aircraft don't dare to land for anything short of a medical emergency? The most dramatic element of the South Pole story was absent from the FBI's first public release on the attack in July of last year. That account underscored the importance of the Internet to scientists living at the South Pole station, describing connectivity as "a lifeline" to the outside world. But that's as far as it went.
The hacked life support system first crept into the tale last February, in testimony by FBI cyber chief Keith Lourdeau to a Senate subcommittee conducting hearings on "cyber terrorism." "During May, the temperature at the South Pole can get down to 70 degrees below zero Fahrenheit; aircraft cannot land there until November due to the harsh weather conditions," says Lourdeau. "The compromised computer systems controlled the life support systems for the 50 scientists." (The FBI's Parris said he hadn't seen Lourdeau's Senate testimony, and was therefore not able to comment on it.)
Lourdeau took pains in his testimony to point out that the FBI still has not seen anything that qualifies as cyber terrorism under the bureau's definition of the term. But last month Attorney General John Ashcroft showed less reticence in describing the South Pole hacks as "a cyber-terrorist threat" in a 29-page Justice Department report meant to highlight, through dozens of examples, the importance of the controversial USA Patriot Act, which he claimed had aided agents tracking the alleged cyber terrorists' e-mail.
"The hacked computer ... controlled the life support systems for the South Pole Station that housed 50 scientists 'wintering over' during the South Pole's most dangerous season," reads the Justice Department report. "Due in part to the quick response allowed by [the USA Patriot Act], FBI agents were able to close the case quickly with the suspects' arrest before any harm was done to the South Pole Research Station."
Memo: 'No Critical System Corrupted'
When Newsweek examined the Justice report last month, the NSF disputed the role the USA Patriot Act played in the Romanian investigation. But spokesman Peter West says the Foundation will not otherwise comment on the South Pole intrusion. Justice Department spokesman Mark Corallo didn't return a phone call inquiring about the description of events in the Justice report.
But an internal assessment of the attack by NSF senior staff, obtained by SecurityFocus under the Freedom of Information Act, appears at odds with the Justice Department's version. For starters, by the time the suspects were arrested, the compromised system had already been secured -- the arrests were apparently not responsible for preventing harm to the station.
And as described in the memo, released as a partially-redacted draft, the incident was something less than a cyber terror attack to begin with, and prompted a measured response from network administrators. "Given the fact that no financial records or systems were compromised, no safety or loss of life was threatened, and no critical system corrupted, we need to balance legitimate security needs with the legitimate needs of our scientists at the Pole," the memo reads.
The assessment noted that, at the time of the Romanian intrusion, the South Pole's network was less secure than other NSF sites "purposely to allow for our scientists at this remotest of locations to exchange data under difficult circumstances."
Indeed, the station was no stranger to hack attacks when the would-be extortionists struck. Other documents show that less than two months earlier the NSF's security team was plunged into a similar fire drill when a computer intruder named "PoizonB0x" penetrated the primary and backup data acquisition servers for a radio telescope at the station called the Degree Angular Scale Interferometer (DASI), which measures properties of the cosmic microwave background radiation -- the afterglow of the Big Bang. The intruder, rated a prolific website defacer by tracking site Zone-H, used his moment of cosmic access to erect a webpage on the servers proclaiming, "I love my angel Laura."
PoizonB0x's Antarctic love letter apparently failed to spur a change in the station's cyber security posture. The Romanian extortion attempt did, and on May 12th of last year the NSF's director of polar programs, Karl Erb, issued a memo ambitiously directing all "science, operations and personal use systems connected to the South Pole station network to identify and correct all known vulnerabilities." Erb also announced a tightening of the firewall rules for the network. "This aligns the security posture at South Pole with the other stations," he wrote.