Network Security Breaches Plague NASA

Cyberspies, thieves lurk in satellite and shuttle networks

nasashuttle2

BusinessWeek – Cover

November 20, 2008

By Keith Epstein and Ben Elgin

America’s military and scientific institutions—along with the defense industry that serves them—are being robbed of secret information on satellites, rocket engines, launch systems, and even the Space Shuttle. The thieves operate via the Internet from Asia and Europe, penetrating U.S. computer networks. Some of the intruders are suspected of having ties to the governments of China and Russia, interviews and documents show. Of all the arms of the U.S. government, few are more vulnerable than NASA, the civilian space agency, which also works closely with the Pentagon and American intelligence services.

In April 2005, cyber-burglars slipped into the digital network of NASA’s supposedly super-secure Kennedy Space Center east of Orlando, according to internal NASA documents reviewed by BusinessWeek and never before disclosed. While hundreds of government workers were preparing for a launch of the Space Shuttle Discovery that July, a malignant software program surreptitiously gathered data from computers in the vast Vehicle Assembly Building, where the Shuttle is maintained. The violated network is managed by a joint venture owned by NASA contractors Boeing (BA) and Lockheed Martin (LMT).

Undetected by the space agency or the companies, the program, called stame.exe, sent a still-undetermined amount of information about the Shuttle to a computer system in Taiwan. That nation is often used by the Chinese government as a digital way station, according to U.S. security specialists.

By December 2005, the rupture had spread to a NASA satellite control complex in suburban Maryland and to the Johnson Space Center in Houston, home of Mission Control. At least 20 gigabytes of compressed data—the equivalent of 30 million pages—were routed from the Johnson center to the system in Taiwan, NASA documents show. Much of the data came from a computer server connected to a network that tracks malfunctions that could threaten the International Space Station.

BEYOND HACKERS

Seven months after the initial April intrusion, NASA officials and employees at the Boeing-Lockheed venture finally discovered the flow of information to Taiwan. Investigators halted all work at the Vehicle Assembly Building for several days, combed hundreds of computer systems, and tallied the damage. NASA documents reviewed by BusinessWeek do not refer to any specific interference with operations of the Shuttle, which was aloft from July 26 to Aug. 9, or the Space Station, which orbits 250 miles above the earth.

Shuttle Discovery, in the Vehicle Assembly Building (NASA Photo)

Shuttle Discovery, in the Vehicle Assembly Building (NASA Photo)

The startling episode in 2005 added to a pattern of significant electronic intrusions dating at least to the late 1990s. These invasions went far beyond the vandalism of hackers who periodically deface government Web sites or sneak into computer systems just to show they can do it. One reason NASA is so vulnerable is that many of its thousands of computers and Web sites are built to be accessible to outside researchers and contractors. Another reason is that the agency at times seems more concerned about minimizing public embarrassment over data theft than preventing breaches in the first place.

In 1998 a U.S.-German satellite known as ROSAT, used for peering into deep space, was rendered useless after it turned suddenly toward the sun. NASA investigators later determined that the accident was linked to a cyber-intrusion at the Goddard Space Flight Center in the Maryland suburbs of Washington. The interloper sent information to computers in Moscow, NASA documents show. U.S. investigators fear the data ended up in the hands of a Russian spy agency.

Four years later, in 2002, an online intruder penetrated the computer network at the Marshall Space Flight Center in Huntsville, Ala., stealing secret data on rocket engine designs—information believed to have made its way to China, according to interviews and NASA documents. At about the same time a British hacker, whom the U.S. is now trying to extradite, allegedly prowled through the digital innards of no fewer than five NASA installations.

In 2004 a cyber-trespasser who poked around NASA’s Ames Research Center in Silicon Valley caused a panicked technician to pull the plug on the facility’s supercomputers to limit the loss of secure data. Two years later, and well after the protracted incident at the Kennedy Space Center, top NASA officials were tricked into opening a fake e-mail and clicking on an infected link that compromised computers at the agency’s Washington headquarters.

The headquarters fiasco in 2006 led to the drafting of an internal memo by NASA’s Inspector General, Robert W. Cobb, in which he said the perpetrators appeared to have ties to those who earlier had gotten into other agency facilities. “The scope, sophistication, timing, and hostile characteristics of some of the intrusions indicate they are coordinated or centrally managed,” Cobb said in the previously undisclosed Nov. 3, 2006, memo.

The intrusions haven’t ceased. In 2007 the Goddard center was again compromised. This time the penetration affected networks that process data from the Earth Observing System, a series of satellites that enable studies of the oceans, land masses, and atmosphere. Inspector General Cobb issued another report, this one public, on Nov. 13, 2007: “Our criminal investigative efforts over the last five years confirm that the threats to NASA’s information are broad in scope, sophisticated, and sustained.”

The agency refers internally to its efforts to stop intrusions linked to China under the code name “Avocado,” according to interviews. Despite this formal recognition of the problem, at least some senior NASA officials have seemed determined publicly to minimize the seriousness of the security threat.

Cobb and other top officials declined to comment in any detail for this article. NASA Deputy Administrator Shana L. Dale said in a statement to BusinessWeek that discussing cyber-threats “could potentially jeopardize the agency’s information technology security and, in some cases, violate federal law….NASA aggressively works to protect its information assets with measures that include installing new technology, increasing investigative resources, heightening employee awareness, and working with other federal agencies.”

Intrusions - and "exfiltration" - coming from China, says former top cyber official Schmidt

Schmidt: Intrusions from China

Former government officials are more forthcoming. “The space race is back,” says John W. McManus, referring to alleged foreign efforts to hijack American knowhow. McManus, chief technology officer at NASA from 2003 through 2006, adds: “If another country can break in and steal information about rocket motors or fuel systems, well, that’s billions of dollars that can be spent elsewhere” by the other nation. Howard A. Schmidt, a technology consultant who served as a White House special adviser on cyber-security from 2001 to 2003, concurs. “All indications are that the attacks are coming in from China,” he says, “and the data is being exfiltrated out to China.” Suspicions of a trail of stolen digital information leading to Taiwan and possibly on to China so far haven’t translated into criminal charges, however.

Philip Shih, a Washington-based spokesman for Taiwan, says that in response to questions from BusinessWeek, Taipei has launched an investigation into whether the rogue stame.exe program that penetrated the Kennedy Space Center was controlled from computers of a Taiwan plastics company. Taiwan suspects its nemesis, China, is behind the intrusions, Shih adds. “We can’t yet say it’s definitely from China, but it’s probably them. They use us for cover for their activities.”

The Chinese government disavows any such cyber-espionage. “China will never do anything to harm the sovereignty or security of other countries,” says Wang Baodong, a spokesman for the Chinese Embassy in Washington. “The Chinese government has never employed, nor will it employ, so-called civilian hackers in collecting information or intelligence of other countries.”

The Russian Embassy similarly says Moscow has had nothing to do with online spying. “Russia denies any involvement in the intrusions [at NASA],” says Yevgeniy Khorishko, a Russian Embassy spokesman.

Boeing and Lockheed declined to comment.

The New E-spionage Threat

As part of a yearlong look at high-tech security threats to U.S. weapon systems and government and defense industry computer networks, BusinessWeek interviewed more than 100 current and former government employees, defense industry executives, and people with ties to U.S. military and intelligence agencies. (See “E-spionage,” Cover Story, Apr. 21, 2008, and “Dangerous Fakes,” Cover Story, Oct. 13, 2008.) NASA was frequently identified as susceptible to attack.

goldin_portrait_m

As early as 1998, NASA chief Goldin warned of increasing threats

“We’ve been repeatedly compromised,” says a former NASA official who describes an ongoing attempt by the government and major security contractors such as Boeing, Lockheed, SAIC, (SAI) and Booz Allen Hamilton to defend the space agency’s networks. Sophisticated digital thieves routinely creep past traditional defenses such as electronic firewalls and antivirus software. Cloaking their identities, they can remotely install code—the instructions telling computers what to do—on a seemingly protected machine. The code might maintain a tunnel into a system for later exploitation or replicate malicious instructions that open additional pathways for unauthorized access. These programs also can send streams of sensitive data to destinations thousands of miles away. “We’ve lost information related to some of our missions, engineering designs, and research,” says the former NASA official. “Every time we shift what we’re doing, [the intruders] shift what they’re doing.”

NASA has known it has a security problem for more than a decade. In an October 1998 internal memo, the agency’s administrator at the time, Daniel S. Goldin, warned subordinates that “the threat to NASA’s information technology assets is increasing, and the number of attacks is growing along with the sophistication of the perpetrators and their tools.” Goldin pleaded with the agency’s semi-autonomous research and operational units to report all IT security incidents to headquarters. Many units still keep the information to themselves, according to other documents and interviews.

EARLY WARNING

By early 1999 the volume of intrusions had grown so worrisome that Thomas J. Talleur, the most senior investigator specializing in cyber-security in the Inspector General’s office at NASA, wrote a detailed “network intrusion threat advisory.” Talleur described the sly tactics behind a particularly virulent series of attacks on agency networks, which he said had been perpetrated by Russians. Titled “Russian Domain Attacks Against NASA Network Systems” and marked “For Official Use Only—No Foreign Dissemination,” Talleur’s Jan. 18, 1999, advisory was sent to the U.S. Army, the Secret Service, the FBI, the CIA, and the National Security Agency.

Retired NASA investigator Talleur warned of Russian cyber-threats in 1999 Chris Usher

Retired NASA investigator Talleur warned of Russian cyber-threats in 1999 Chris Usher

The 26-page advisory explained how, starting in May 1997, virtual intruders masking themselves and their IP addresses slipped undetected into networks at the Goddard center, a hub of space science activity. The trespassers penetrated computers in the X-ray Astrophysics Section of a building on Goddard’s campus, where they commandeered computers delivering data and instructions to satellites. Before being discovered, the intruders transferred huge amounts of information, including e-mails, through a series of stops on the Internet to computers overseas. The advisory stated: “Hostile activities compromised [NASA] computer systems that directly and indirectly deal with the design, testing, and transferring of satellite package command-and-control codes”—in other words, computerized instructions transmitted to spacecraft.

In July 1998, a month after the discovery of the breach at Goddard, the U.S. Justice Dept. approved electronic monitoring of the illicit transmissions. That allowed a team of agents from NASA, the FBI, and the U.S. Air Force Office of Special Investigations to follow the trail of what they concluded was a criminal hacking ring with dozens of Internet addresses associated with computers near Moscow. The investigators made an even more alarming discovery, according to people familiar with the probe: The cyber-crime ring had connections to a Russian electronic spy agency known by the initials FAPSI. None of this has ever been made public, and BusinessWeek could not independently corroborate the Russian ties.

The investigators’ findings became of far greater concern in September 1998. Without warning one day, the ROSAT satellite turned, seemingly inexplicably, toward the sun. The move damaged a critical optical sensor, rendering the satellite useless in its mission of making X-ray and ultraviolet images of deep space. NASA announced in a press release that ROSAT had been “accidentally scanning too closely to the sun.” Talleur’s report concluded otherwise.

The “accident,” he noted, had been “coincident with the intrusion” into the Goddard system controlling it. Why would Russians want to cripple a satellite beloved worldwide by students of pulsars and supernovas? “Operational characteristics and commanding of the ROSAT were sufficiently similar to other space assets to provide intruders with valuable information about how such platforms are commanded,” Talleur’s advisory said. Put differently, manipulating ROSAT could teach an adversary how to toy with just about anything the U.S. put into the sky.

researchsatellite

Workers readying a research satellite for NASA

Talleur, now 59, retired in December 1999, frustrated that his warnings weren’t taken more seriously. Five months after his advisory was circulated internally, the Government Accountability Office, the investigative arm of Congress, released a public report reiterating in general terms Talleur’s concerns about NASA security. But little changed, he says in an interview. “There were so many intrusions and hackers taking things we had on servers, I felt like the Dutch boy with his finger in the dike,” he explains, sitting on the porch of his home near Savannah, Ga. On whether other countries are behind the intrusions, he says: “State-sponsored? God, it’s been state-sponsored for 15 years!”

Huntsville, Ala., known as Rocket City, is home to the Marshall Space Flight Center, where the famous “rocket boys”—former Nazis led by Wernher von Braun—helped U.S. engineers design ballistic missiles. Today, data stored on computers at the Marshall campus constitute one of the richest lodes of high-tech secrets anywhere in the world.

Around the clock for four days in June 2002, a prowler methodically probed enormous volumes of proprietary information at Marshall, according to NASA documents. The electronic intruder, without setting foot anywhere near Rocket City, gained access to servers handling sensitive work on new versions of the Delta and Atlas rockets that power intercontinental missiles, enhancements of the Shuttle’s main engines, and Lockheed’s F-35 Joint Strike Fighter, an advanced fighter jet that remains in development.

Had anyone been monitoring the Marshall computer networks in real time, the suspicious activity, automatically recorded on logs, would have been “immediately evident,” NASA investigators concluded, according to a Dec. 11, 2002, report to top NASA executives. “In essence,” said another internal report to NASA management on Mar. 26, 2003, “Marshall had locked up the card catalog, but left the library doors wide open.”

Special agents from NASA’s Office of Security, the Inspector General’s office, and the Pentagon’s Defense Criminal Investigative Service investigated the Marshall incident, but charges were never filed. NASA documents show that suspicion focused on Rafael Nuñez Aponte, a self-described former member of an international hacker gang known as World of Hell. Nuñez, a Venezuelan national, called himself “RaFa” in online postings. He spent seven months in U.S. prison in 2005 as punishment for defacing an Air Force training Web site in 2001. He headed home to Caracas in 2005.

Nuñez, a suspect in the Marshall Center intrusion, denied involvement. Scott Dalton

Nuñez, a suspect in the Marshall Center intrusion, denied involvement. Photo by Scott Dalton

According to documents from NASA’s investigation of the Marshall intrusion, Nuñez in 2002 initially confessed to being directly involved in the incident. But then he changed his story two weeks later. Trying to distance himself from the crime, he told investigators he had obtained NASA files from hackers in France, an assertion he repeated during a phone interview with BusinessWeek this October. Nuñez, now 29, says rival hacking gang members in France had impersonated him while breaking into NASA’s computer system. “I was involved with the Air Force attack, but some French hackers were behind the NASA one,” he said. “The French were trying to pin it on me. That’s very common in the hacker world.”

U.S. authorities refused to discuss the case, saying it involves an ongoing investigation and, possibly, other suspects. Two people familiar with the probe said it focuses on the delivery of material to the Chinese government, perhaps by intermediaries in Europe, but they declined to be specific.

The secrets from Marshall could have helped the Chinese design engines and fuel to lift heavier loads beyond the atmosphere, according to NASA documents. Investigative case files prepared for a federal grand jury following the Marshall intrusion, and reviewed by BusinessWeek, include information from the statement of an unidentified witness under the heading “Allegations of Sale to a Foreign Government.” But BusinessWeek couldn’t corroborate the alleged Chinese ties or determine whether a grand jury was convened.

CONCERNS ABOUT A “COVERUP”

An undated internal NASA memorandum assessed the damage from the Marshall break-in: “Assuming the worst, foreign countries now have detailed drawings and specifications for high-performance liquid rocket engines that are almost at a critical design review readiness level.” The memo added: “That means that a foreign country could begin development of a rocket engine right away and power some vehicle or missile within two or three years.” All told, the lost technology cost U.S. taxpayers an estimated $1.9 billion to develop, not taking into account “all of the lessons learned and corporate knowledge gleaned from the last 50 years of rocket engine development in the U.S.,” the memo continued. The actual “value of the intellectual property that has been lost is priceless.”

Some NASA investigators believed top officials tried to keep a lid on what had happened at the Marshall Center so the agency wouldn’t suffer criticism from Congress or the public. Internal e-mails and statements written by Michael G. Ball, a Huntsville-based NASA special agent, and several of his colleagues describe an investigation repeatedly stalled by superiors who sought to play down any impression that the incident had compromised national security. “I felt that we were covering up the loss to save embarrassment to NASA,” Ball wrote in one document dated Oct. 24, 2005. In a June 2003 memo labeled “Law Enforcement Sensitive,” Ball used the subject heading “Potential Concealment of Facts Pertaining to Case # C-MA-0200526-0″—the investigation of the breach at Marshall. He described attempts to impede the investigation and signaled a desire for whistleblower protection under federal law. Reached by phone at Marshall, where he still works as an agent for NASA, Ball declined to be interviewed.

Congress never heard any of the details of the Marshall affair, at least not publicly. In June 2003, NASA Inspector General Cobb, a former ethics counsel to President George W. Bush, referred only vaguely to the incident in testimony before the House Government Reform Committee’s technology subcommittee. His prepared one-paragraph account made no mention of the specific incident or its $1.9 billion impact. He told the committee that “there are examples from our ongoing investigations where inadequate IT security, such as weak password controls, resulted in unauthorized access to significant amounts of NASA data that was sensitive but unclassified.” NASA “is aware of cases and acknowledges that serious compromises have occurred,” he added, but “it would not be appropriate to share the details in any open forum.”

Cobb’s handling of the case later became part of the focus of an investigation by a watchdog agency known as the President’s Council on Integrity & Efficiency. The investigation concerned 78 allegations that Cobb had retaliated against whistleblowers and failed to investigate incidents that could potentially embarrass NASA. That probe, conducted by a panel of inspectors general from other federal agencies, found that he had broken no laws but that his failure to ensure timely reporting of the compromise at Marshall “created the appearance of lack of independence” from NASA’s management. Cobb, who remains in his job, told the IG committee that any delays stemmed from his insistence on accuracy. He declined BusinessWeek‘s interview requests.

YANKING CABLES

At 6 a.m. on a May morning in 2004, an urgent phone call woke Richard Dunn, then a NASA engineer. “Disconnect us!” said the caller. “Disconnect us from the Internet!”

Supercomputer at Ames (NASA photo)

Supercomputer at Ames (NASA photo)

The agitated man on the line was David L. Tweten, then head of IT security for the Ames Research Center, a NASA laboratory in Silicon Valley. Ames’ supercomputers enable scientists, government agencies, and spaceflight planners to model everything from ocean currents to the trajectory of interplanetary probes. At the time of Dunn’s abrupt awakening, analysts had been using the computers to scrutinize the 2003 Columbia Shuttle disaster.

“Disconnect us?” asked Dunn, astonished.

“I mean, physically remove us from the Internet,” Tweten answered, according to Dunn.

Dunn sped 14 miles from his home in San Jose to an Internet hub in Mountain View, where Ames’ supercomputers are connected to the Web. He yanked out thick fiber-optic cables one by one, rendering the machines inaccessible to the rest of the world.

It turned out that a cyber-intruder had gotten into Ames, and officials couldn’t figure out a better short-term solution than pulling the plug. The prowler apparently cracked a researcher’s password at the Goddard center in Maryland and used it to hack into Ames. The cleanup required the scanning of thousands of hard drives for potential breaches. The Ames supercomputers were offline for more than four weeks.

For three years before the 2004 incident, internal security auditors at Ames had tried to get managers to make improvements, NASA records show. The center’s supercomputers had been shut down multiple times in the past because of incursions. In one earlier incident, an unemployed computer administrator in London named Gary McKinnon allegedly gained access to 92 computers belonging to Ames and four other NASA centers, as well as several U.S. military bases, causing $900,000 in damage. This occurred from September 2001 to March 2002, according to a November 2002 federal indictment of McKinnon, who is now 42.

mckinnon

McKinnon allegedly hacked NASA networks in 2001 & 2002. Daniel Berehulak/Getty Images

The U.S. has been seeking McKinnon’s extradition from Britain to face criminal computer fraud charges. “There were no lines of defense,” McKinnon told a BBC interviewer in May 2006, seeming to acknowledge his involvement. In response to a BusinessWeek e-mail, a person identifying himself as a friend of McKinnon said the accused hacker had gained access to NASA by using obvious passwords such as “administrator.”

Of all the cyber-calamities of recent years, NASA officials appear to have been most severely shaken by the extended theft of digital information from the Kennedy Space Center in 2005. A Mar. 3, 2006, draft report on the internal investigation of the extensive infringement found that the intruder could have learned operational details about the Shuttle by monitoring the stream of data from the launch pad at Kennedy to the massive assembly building where the Shuttle is housed.

Specifically, this information could have included “data concerning Space Shuttle engine flow levels, maximum temperature levels, and other live performance data,” the investigative report stated. Not only could a distant adversary learn a lot about building and flying a Shuttle that way, the rival could also figure out how to sabotage a Shuttle mission, investigators concluded.

As investigators eventually learned, the rogue program stame.exe slipped into the assembly building’s data center, helping to cause transfers of data from both Kennedy and Johnson to IP addresses in Taiwan. One incursion at Johnson began with a breach at the contractor Lockheed, illustrating how corporations face similar threats. In the subsequent December 2005 Goddard intrusion, investigators followed the trail to IP addresses in China, the investigative report shows.

China has not made a secret of its thirst for advanced missile and rocket technology. “Seizing space dominance is the root for winning war in the Information Age,” Li Daguang, a researcher at the government-backed Chinese Academy of Sciences, wrote in 2004 in a publication of the People’s Liberation Army, Zhongguo Guofang Bao.

During September and October 2006, intruders mounted a direct assault on NASA’s headquarters in Southwest Washington, only blocks from Capitol Hill. A fake e-mail, known as a spearphish, duped several members of the agency’s top brass and their assistants into clicking on the link of a seemingly authentic Web site, according to documents and interviews. The site unleashed malicious software code that exploited a previously unknown vulnerability in programs used by NASA. The intruders downloaded, from the hard drive of NASA’s then-Chief Financial Officer Gwen Sykes, all of the agency’s budget and financial information. Those files contained clues about the size and scope of every NASA research project, space vehicle deployment, and cutting-edge satellite technology. Again the path of the pilfered information led to IP addresses in Taiwan, sparking concern that it ultimately found its way to government offices in Beijing, according to a former NASA employee. Nearly a dozen PCs at NASA headquarters were taken out of commission.

Electronic incursions of NASA facilities have continued. In the days before a Shuttle launch in December 2006, the agency was so rattled it barred all incoming Word attachments from its computer systems. McManus, the former NASA chief technology officer, says the hackers have “very sophisticated knowledge of the organizational structure” of the agency. He laments that for all of the costly cleanups following breaches, NASA hasn’t found a comprehensive solution. “It’s as if somebody pulls your pants down, and you just pull them back up,” says McManus. “How many times do you want to be standing on the street corner with your pants at your feet?”

With Brian Grow, Chi-Chu Tschang, and David Polek


Vulnerable Computers

NASA’s networks and Web sites, built to be accessible to contractors, have suffered numerous intrusions

1998

The ROSAT satellite, which gathers images of deep space, is rendered useless after it suddenly turns toward the sun. Investigators blame a Russian intrusion into the satellite’s control system.

2002

A cyber-intruder infiltrates the computer network at the Marshall Space Flight Center in Huntsville, Ala., stealing secret data on rocket engines, which are thought to have made their way to China.

2005

Work at the Kennedy Space Center is delayed when employees discover that an outsider had prowled NASA’s computer network for seven months.

2004

NASA’s Ames Research Center in Silicon Valley suffers serious cyber-violation, requiring a technician to pull the connection between supercomputers and the Internet to minimize loss of secret data.

2006

Hackers using a malicious e-mail break into computers at NASA headquarters in Washington, forcing top officials to surrender their compromised PCs.

2007

Electronic prowlers get into the network of the Earth Observing System, a series of satellites controlled from the Goddard Space Flight Center in suburban Maryland.

Data: NASA, BusinessWeek research