The long arm of the Army's cybercrime unit
- By Dawn S. Onley
- Jun 22, 2005
For three months last year, an Army soldier stationed in Afghanistan installed on more than 200 computers illegal software that captured users' keystrokes and, ultimately, caused about $25,000 in damage.
The software gave the soldier access to passwords, credit card data and other sensitive information from users of the compromised computers.
A team of agents with the Army's Computer Crime Investigative Unit, a division within the Army Criminal Investigation Command charged with securing all Army networks, traveled on short notice to the hostile area to analyze the affected computers.
Their investigation led them to the suspect, whom officials declined to name because he accepted nonjudicial punishment in lieu of a court martial.
Daniel T. Andrews, CCIU's acting director, said the soldier did not misuse or disclose any of the sensitive data he had collected and that the case was referred to the military justice system for disciplinary action.
But Andrews said the case is an example of the work performed daily by CCIU agents and analysts.
'CCIU agents respond to and investigate network intrusions and other computer-related felonies across the globe,' Andrews said. 'Given the so-called borderless nature of Internet-based crime, many of CCIU's cases involve investigative leads in foreign countries, adding even more complexity to cases that can often involve hundreds of thousands of dollars in damages.'
One such case occurred three years ago.
Gary McKinnon, a computer administrator from London, faces extradition for charges that he hacked into military and NASA computer systems, deleting files and blocking access to the Internet, officials said. The incident occurred over a 12-month period during 2001 and 2002.
CCIU gathered evidence and led the international investigation that resulted in McKinnon's arrest.
Special agent Brent A. Pack, operations officer of the Fort Belvoir, Va.-based unit, said nabbing the hacker involved 'collecting, examining and reporting more than 1T of electronic evidence.'
McKinnon was indicted by a U.S. grand jury in 2002 on eight counts of computer crimes and is scheduled for an extradition hearing on July 27 in London.
A pending case against a technology company was a bit easier to solve, officials said. In early 2002, ForensicTec Solutions Inc. of San Diego broke into dozens of sensitive Defense systems while conducting routine business for a government client, according to ForensicTec president Brett O'Keeffe, who spoke with GCN at the time of the incident.
The government accused O'Keeffe and other ForensicTec employees of discussing the security vulnerabilities with the news media in an attempt to build their new business.
O'Keeffe said he notified military officials right away. 'All we did was expose a vulnerability that others could exploit,' O'Keeffe said in the interview. 'We didn't create a vulnerability, we just showed it.'
O'Keeffe said company employees gained access to computers at a Texas Army base that held records of radio encryption techniques, and personnel files listing Social Security numbers, security clearances and credit card numbers. Employees also roamed a NASA system's vendor records, which included company banking information.
O'Keeffe has since pleaded guilty to a misdemeanor charge in the incident and faces up to a year in jail when he is sentenced on Aug. 1, according to John Parmley, an assistant U.S. attorney.
Parmley said two co-defendants, Aljosa Medvesek and Margaret Ann Lauffer, who also worked at ForensicTec, pleaded guilty to unauthorized access and will also be sentenced later this year.
On the front door of the CCIU lab is a logo with an eagle holding a computer mouse. Inside the lab, computer technicians gather forensic evidence by taking computers apart to see what damage a hacker did and how he accomplished his intrusion.
The unit has portable forensic equipment that allows agents to remove hard drives for extensive examination. The agents can perform analysis on any type of operating system.
'Most of the Internet-based attacks we see are attempts to exploit any variety of vulnerabilities in computer operating systems or other software code,' Andrews said. 'Without identifying any specific threat, the arsenal of cyberexploits is dynamically evolving and becoming more potentially malicious with time.'
CCIU operates on a yearly budget of $1 million, a jump from $500,000 in its earlier years. That figure does not include personnel pay or real estate facilities, Andrews said.
He attributed the hike in budgetary dollars to the realization that computer security is vital to military operations.
'Senior Army officials understand the importance of enterprisewide network security and the significance of maintaining a robust investigative force capable of swiftly responding to cyberattacks, assessing the extent of damage and bringing cybercriminals to justice,' Andrews said.
Special agents assigned to CCIU usually come from law enforcement backgrounds and undergo extensive computer network training.