Sophos Cloud Optix
A British man has been charged with hacking into the computer systems of the US army, NASA and many other federal agencies.
The 28-year-old from Suffolk, named as Lauri Love, was arrested under the Computer Misuse Act by officers from the UK’s new National Crime Agency. The arrest came after an international investigation led by the US army’s criminal investigation command in conjunction with the FBI in Newark.
Officials say that Love, along with three other alleged hackers from Sweden and Australia, tried to break into networks belonging to America’s Missile Defence Agency, NASA, the US Army Corps of Engineers and an environment agency between October 2012 and October 2013.
US prosecutors described Love as a “sophisticated and prolific computer hacker” who allegedly stole “massive quantities of sensitive data” which, they claim, resulted in “millions of dollars in losses.”
An indictment served in a federal court in Newark, New Jersey said that:
Between October 2012 and October 2013, Love and fellow conspirators sought out and hacked into thousands of computer systems. Once inside the compromised networks, Love and his conspirators placed hidden "shells" or "back doors" within the networks, which allowed them to return to the compromised computer systems at a later date and steal confidential data. The stolen data included the personally identifying information (PII) of thousands of individuals, some of whom were military servicemen and servicewomen, as well as other nonpublic material.
Love, and his three accomplices, allegedly stole data on more than 500 individuals, as well as information about government budgets and the “demolition and disposal of military facilities.”
The 22-page indictment includes alleged extracts from conversations between Love and his co-conspirators. In one, Love, who was active in Scotland during the 2011 Occupy protests, is said to have discussed how the group “might be able to get at real confidential shit” through targeting certain systems.
According to the indictment another alleged conversation said:
This ... stuff is really sensitive. ... It's basically every piece of information you'd need to do full identity theft on any employee or contractor for the [government agency].
It is also claimed that Love, who used the online pseudonyms of ‘nsh’, ‘route’, ‘peace’ and ‘love’, planned to use Twitter and other social media platforms to publicise the attacks.
The US government says that the aim of the co-conspirators was “to disrupt the operations and infrastructure” of the federal government.
US prosecutor Paul Fishman said:
According to the indictment, Lauri Love and conspirators hacked into thousands of networks, including many belonging to the United States military and other government agencies. As part of their alleged scheme, they stole military data and personal identifying information belonging to servicemen and women. Such conduct endangers the security of our country and is an affront to those who serve.
Love, who has not been charged in the UK, has been released on bail until February and could be extradited to the US where, if convicted, he could face up to ten years in prison plus a fine equal to double the financial damage caused.
Andy Archibald, Head of the National Crime Agency’s National Cyber Crime Unit, said:
This arrest is the culmination of close joint working by the NCA, Police Scotland and our international partners.
Cyber-criminals should be aware that no matter where in the world you commit cyber crime, even from remote places, you can and will be identified and held accountable for your actions. The NCA has well developed law enforcement alliances globally and we will pursue and deal robustly with cyber-criminals.
The arrest of Love comes at a time when Conservative MPs are looking to tighten up the UK-US extradition treaty. If amendments to the Anti-social Behaviour, Crime and Policing Bill are agreed then British citizens may be afforded more protection when faced with European Arrest Warrants (EAW) or extradition to the US.
Love may be hoping that such an amendment does comes into force in order to allow him to avoid a similar fate to that of Gary McKinnon.
McKinnon, who has Asperger’s Syndrome, fought a 10-year legal battle to avoid being extradited to the US to answer similar charges of hacking into computer systems run by NASA and the United States military.
Image of US Army badge courtesy of Shutterstock.
Gary McKinnon and Lauri Love are two different types of hackers and should not be compared.
Just as an example – McKinnon wanted to know if there was an alien cover-up. He did not try to download any personal data that could be used for monetary gain. Love on the other hand was all about gaining personal data to use for monetary gain. There are other differences as well – use of malicious software to create backdoors.
–> "McKinnon, who has Asperger's Syndrome,.."
What purpose did this extra information serve? Why didn't you include any extra personal information about Love?
"for monetary gain"
Hmm, I read the indictment and I didn't see nothing in it about the data being used for monetary gain.. Love just said something about identity theft in regard to the sensitivity of data that was taken from a database.. Maybe I missed something?
Maybe I am a bit pessimistic about thieves, but a person who steals PII (identity theft) usually tries to sell that data, or use it to get a credit card, or drain a bank account.
Perhaps I am wrong and he wants to ensure that the people whose PII he stole is safe and secure from would be identity thieves.
Instead of spending millions prosecuting this individual they should spend it on securing their assets. The cheapest way to do this is by hiring Mr Love and his mates and paying him to challenge their systems. If people of his calibre can get in and allegedly brag to pals about it, there will be covert intrusion for sure, and they'll never notice the changes.
Why does the USA behave in such an unprofessional way on this?
I agree with you Asperto – my first thought on reading this article. Why are the sensitive personal details of so many US service people open to such abuse? I wince every time I have to send some of my own personal data to any agency via the Internet; because no matter how secure they claim to be – they just aren't and never will be.
Every time a criminal hacker is caught it seems that someone suggests that they should be paid to help secure the systems that they penetrated. I'm sorry, but that's SUCH a bad idea.
The InfoSec industry is full of really really talented people that are true White Hat hackers. Bring THEM in to penetration-test, conduct internal vulnerability reviews, risk assessments, train end-users and do all the other things that help make a difference to these sites' security.
But NEVER reward the criminals for their own work. All that does is promote similar activity by others for notoriety and potential financial gain.
McKinnon is just a lone geek who sought evidence that US authorities conspired to conceal evidence of alien visitors to earth. He did not pass any US or allied secrets to anyone else, nor did he attempt to make money from his success in cracking US security blocks. The US and UK security agencies should be thankful that it was McKinnon and no-one else who found the gaps in their systems.
Presumably those loopholes have been closed long ago, but it appears that Lauri Love has found more. He is in custody on suspicion of conspiracy with four others, and stealing "massive quantities of sensitive data". Their motives are not yet public knowledge, but the security services must assume the worst. They are not lone, deluded, geeks.
I will never get to ask Lauri Love or any black hat hacker this question: (but I still would like some poster to answer it as best as they could)
Do they really believe that a scenario in the movie "Fight Club" will fix any issues they are having with the world today?? Honestly.
you might get to ask Lauri Love that question; you might even get a reply some day.
Wasn’t the 1917 Russian revolution a type of ‘Fight Club’?