SOLAR SUNRISE
DAWN OF A NEW THREAT
A joint production by National Infrastructure Protection Center, National
Counterintelligence Center, and Federal Bureau of Investigation.
Narrator: January, 1998, Saddam Hussein has expelled U.N. weapons inspectors and
the United States is threatening military action. U.S. forces prepare for deployment.
February 3, while the battle of nerves continues in Iraq, Defense Department Security
Systems report an attempted break in to computers at Andrew’s Air Force Base.
Over the next two weeks Pentagon security experts detect similar assaults on military
systems across the country. The intrusions seem to be coordinated and they target
computer systems at the heart of the military buildup. Damage to these systems could
halt the flow of transportation, personnel, and medical supplies.
Brigadier General Francis X. Taylor, Office of Special Investigations:
It certainly was, given it’s timing, in concert with our military actions against Iraq, a
wakeup call for many of our leaders both uniformed and otherwise, in our government
that this is potentially a very major threat to our ability to execute our mission.
Major General John H. Campbell, USAF, Vice Director Defense Information
Systems Agency:
We do an awfully lot of work by email and through unclassified transmission of
deployment information. And again, if you take one part of that machine and disable it,
you have a real problem trying to make deployment operations take place.
Narrator: Although the precise origin and purpose of these attacks is unknown,
Washington fears the worst. A joint task force is hastily assembled bringing together
personnel from the FBI, various military services and members of the intelligence
community.
Scott C. Charney, Chief, Computer Crime and Intellectual Property Section DOJ:
So obviously people were worried that this might be an information warfare based attack
or some sort of attack designed to disrupt U.S. responses to problems in Iraq.
Narrator: The intruders are targeting computers that use the Sun Solaris 2.4 or 2.6
operating system. Exploiting a vulnerability common among UNIX systems that can
give hackers an easy route in. Although, this flaw in the system and the software
necessary to fix it have been publicized since December, Pentagon computer experts
haven’t focused on the potential backdoor into their systems. Obviously hackers have.
Because of the common vulnerability linking them, the FBI dubs its investigation of the
DOD intrusions, Solar Sunrise.
Friday, February 6, more than 2,000 marines are sent to the Gulf while the search for a
diplomatic solution continues. As the military stakes continue to rise, the investigation in
Washington is also gaining urgency. Investigators tracing the attacks find the cyber trail
leads through a number of foreign countries including Iraq’s Gulf neighbor, the United
Arab Emirates.
Scott K. Larson, FBI Supervisory Special Agent, National Infrastructure Protection
Center: The first priorities were to exchange information because we have a lot of
different entities and determine what scope of intrusion happened to the different
systems. Were they secret systems, were they unclassified systems. What were the
significance of these computers systems and can we tie it into some sort of attack.
Scott C. Charney, Chief, Computer Crime and Intellectual Property Section DOJ:
One of the first things that we did was caution everyone involved that we had been down
this road before and where an attack seems to be coming from and where the attack is
actually coming may be two different things.
Narrator: Investigators track the intrusions back to their point of entry and find that
they have been routed through a variety of Internet Service Providers or ISP’s. Many of
these points of entry are university sites, where security is typically lax, common pass
through sites used by hackers. But at least two of the pass through sites seem to deserve a
closer look. Sonic Net, a commercial ISP in California and Emirnet in the United
Emirates, one of a few electronic gateways into Iraq.
While Emirnet itself is beyond the reach of U.S. law enforcement, it shows repeated links
to a site that is not. Maroon.com a web page hosting service in College Station, Texas.
Without its’ owners knowledge the site is being used as a hackers launching platform to a
wide variety of sites. This hacker’s country of origin, Israel. With the permission of
Maroon.Com’s operator, agents begin consensual monitoring of all traffic in and out of
the network. They soon find multiple connections to military sites, and hacking activity
that fits the pattern of the Solar Sunrise break ins. But the basic mystery remains. Who
is the Israeli intruder and what does he want? Meanwhile, a parallel investigation is
following the trail of files stolen from military sites. The most tantalizingly, a collection
of account names and passwords stolen from Andrews Air Force Base and transferred to
Sonic.Net an ISP in Santa Rosa, California. The intruder has apparently stashed his
stolen information at Sonic.Net. If he comes back to examine it, investigators will be
waiting. When FBI agents from the San Francisco field office contact Sonic.Net they get
an unexpected break. During the same period as the initial attacks on military sites,
system managers at Sonic.Net received complaints about hacking assaults on Harvard
and MIT launched through their site. They have already identified the two hackers
responsible for those attacks, local high school kids, whose screen names are Mac and
Stinky.
Just four days after the first meeting of the task force in Washington, investigators in
California are set up to track transmissions from Sonic.Net to known military sites. This
quickly reveals connections to Andrews Air Force Base initiated by Stinky.
February 13. Support troops from Andrews depart for the Gulf. That same day,
investigators in California receive legal authority to increase their surveillance of the two
teenagers Internet accounts. Under this new legal authorization, investigators can take
intercepted Internet traffic and actually reconstruct the hacker’s online sessions.
Concerned for the security of its’ own network, Sonic.Net is also monitoring these
accounts. Their combined efforts yield a critical lead, an Internet relay chat between Mac
and someone who seems to be teaching him the art of hacking. A more experience
computer guru with a screen name, Analyzer. As investigators follow the electronic trail
of Mac’s mentor, they find that Analyzer’s entry point to the Internet is an ISP in Israel.
Suddenly the two parallel tracks of the investigation begin to converge. Is Analyzer the
same Israeli hacker who used Maroon.Com as his gateway to U.S. military sites?
February 23, 1998 U.N. secretary general, Kofi Annan renegotiates a renewal of arms
inspections with Saddam Hussein. In a matter of days, Washington agrees to the deal.
Tensions in the Gulf begin to relax. But on February 25, a new crisis strikes the Solar
Sunrise investigation; the media makes the story public.
Scott K. Larson, FBI Supervisory Special Agent, National Infrastructure Protection
Center:
While once the case became public, a lot of thoughts came across our minds. The first
one in particular up in California was to get to the sites as soon as possible.
Narrator: If the teenagers hear of the investigation before search warrants are served,
they can erase all evidence of their crimes. Racing against the clock, investigators from a
wide range of taskforce agencies converge on a suburb of San Francisco. They reach the
two hackers homes at 6:30 p.m. Pacific Time. The same day the story hits the press.
Unnamed FBI Actor: FBI, we have a search warrant.
Scott K. Larson, FBI Supervisory Special Agent, National Infrastructure Protection
Center:
When the investigators got to the homes, what they found were computers that were
online. The individuals were online in Chat channels as the investigators entered the
homes.
Narrator: Both teens are interviewed in their homes and both admit to breaking into
DOD computers. After some initial hesitation, Mac, tells his investigations what he
knows of his teacher, Analyzer. It seems that the kingpin of this hacking assault on the
U.S. Government is an 18 year old from Israel.
A week after the California searches, a defiant Analyzer gives a cyber interview to Anti-
Online, a web-based forum for hackers. He takes credit for the Pentagon intrusions and
for teaching Mac and Stinky their hacking techniques. To prove his claims, he gives a
live hacking demonstration. Breaking into a military site during the interview. And in an
online dialog with Anti-Online’s reporter, J.P he offers chilling insight into his motives.
Analyzer’s commitment to chaos is real. Investigators recognize his screen name from a
number of other pending cases of computer assault. But no one knows his true identity.
Pooling their leads, the taskforce solves this final puzzle. Armed with Analyzer’s name
and address, they take the case against him to Israeli authorities.
Michael. A. Vatis, Director, National Infrastructure Protection Center: One of the
things that Solar Sunrise demonstrated was that in Cyber space, the cliché that Cyber
space knows no boundaries is absolutely true. And that we, therefore, in many
investigations have to work closely with our foreign counterparts because hackers might
go through several different foreign countries on their way to victims in the U.S.
Narrator: With the help of Israeli law enforcement, the Solar Sunrise team confronts
Analyzer. Investigators search his home and under questioning he admits his role in the
hacking trails they have identified. This confession is only the tip of the iceberg.
Forensic analysis of Analyzer’s computer equipment indicates he may have hacked into
more than 500 networks.
One year later, Analyzer is indicted in Israel on charges of computer crime. Prosecution
is still pending. In California, both teens plead guilty to violation of Federal Computer
Fraud and Wiretapping laws. Both boys are fined and sentenced to three years of
probation with one hundred hours of community service. They forfeit their computers
and are barred from accessing the Internet without adult supervision. As juveniles, their
legal punishment is relatively light but this youthful escapade may haunt them in other
ways.
Scott C. Charney, Chief, Computer Crime and Intellectual Property Section DOJ:
They are applying for jobs and they might, of course, might want one in computer
security field. When their employer asks them if they have ever been arrested or
convicted or involved in any computer abuse, they may have a lasting consequence in
their ability to get employment in their area of choice.
David Binney, Director, IBM Corporate Security
IBM would never consider hiring a reformed hacker. It would be like hiring a burglar to
institute a burglary system on your house. You wouldn’t do it.
Narrator: In the end the Solar Sunrise invasion of sites proved to be purely recreational.
But though no hostile government or group was behind these intrusions, the case clearly
demonstrates the vulnerabilities of the nation’s complex information systems to terrorist
assaults.
Major General John H. Campbell, USAF, Vice Director Defense Information
Systems Agency:
In all of our plans to prepare for warfare in the 21st century, depend upon our use and
leverage of information technology to make our forces more effective.
Michael. A. Vatis, Director, National Infrastructure Protection Center:
The tools are widely available. They are at minimal cost, all you need to have is a
desktop or laptop computer and a modem connection and you are in business as a hacker.
Narrator: A recent DOD study found that Defense Department computers were attacked
a quarter of a million times in a single year. At least a dozen countries are known to be
funding extensive information warfare programs. But the danger extends far beyond
strictly military targets.
Michael. A. Vatis, Director, National Infrastructure Protection Center: As the
information age advances further, we are finding that more and more government
agencies, private sector companies, and individuals really are relying on information
technology as a regular part of their daily lives and daily operations.
Narrator: Building on the working partnerships forged by the Solar Sunrise taskforce,
NIPC is an inter-agency effort combining the personnel and resources of the FBI,
Treasury and Energy Departments, the Department of Defense and the intelligence
community to protect the nation’s electronically vulnerable infrastructures.
Michael. A. Vatis, Director, National Infrastructure Protection Center:
The basic mission of the NIPC is to coordinate the government’s activities that are
directed at detecting, preventing, and warning of and responding to cyber intrusions.
Particularly those directed at critical infrastructures.
Narrator: Electronic attacks create special problems. The evidence is fleeting, the cost
of entry is extremely low, and computer criminals cross national borders much faster than
law enforcement can. But the need for coordination isn’t limited to governmental
players.
Michael. A. Vatis, Director, National Infrastructure Protection Center:
Whether it is the telecommunications systems, the banking and finance sector, the
transportation sector or the energy sector. All of these things are privately owned and
operated and that means that in order for us to understand those systems, what the
vulnerabilities are, what the threats are to those systems we need to have a really close
partnership with the owners and operators of those systems.
Scott C. Charney, Chief, Computer Crime and Intellectual Property Section DOJ:
For a long time, corporate America said we have never been hacked. This isn’t a
problem. But survey after survey shows us that the numbers are going up.
Narrator: In recent national surveys of corporate information security professionals,
more than half the companies responding reported frequent Internet attacks and problems
with unauthorized access by insiders. More than a quarter reported theft of proprietary
information. Estimates of annual corporate losses from computer security breaches run
from 100 million to 300 billion dollars.
Scott K. Larson, FBI Supervisory Special Agent, National Infrastructure Protection
Center: The types of information that a hacker can get in a computer system could be
sensitive proprietary information to a company. The jewels of a company.
David Binney, Director, IBM Corporate Security: Anybody that thinks that company
doesn’t have trade secrets that are vulnerable, just doesn’t understand the problem.
Narrator: Drawing on its’ unique access to national intelligence and law enforcement
information NIPC is developing an overview of Cyber threats no private sector company
could create alone.
David Binney, Director, IBM Corporate Security: Law enforcement has tremendous
resources available though to assist us to protect ourselves: subpoena power, search
warrants, the ability to track a hacker to its’ point of origin. So we use law enforcement
more readily now than we used to.
Michael. A. Vatis, Director, National Infrastructure Protection Center: What is
different now from five or especially ten years ago, is that to be a successful hacker
nowadays, you don’t have to be a savvy, sophisticated, highly educated computer
scientist who writes his own exploits and attack scripts and figures out after a lot of work
and background investigation and goes after that system.
Narrator: The danger is real. Teenage hackers have already interrupted air traffic
control at an airport in Massachusetts and disrupted 911 emergency services in Florida.
Imagine similar tools in the hands of a hostile government or terrorist group.
Scott C. Charney, Chief, Computer Crime and Intellectual Property Section DOJ:
What Corporate America has to do is when they are attacked they need to contact law
enforcement immediately. They need to start turning on their audit trails. They need to
start capturing keystrokes. They have to respond in a responsible way if we are going to
neutralize this threat.
Major General John H. Campbell, USAF, Vice Director Defense Information
Systems Agency:
Solar Sunrise told us that we didn’t have time to slow down. We needed to keep on
moving and to fix the things that we can fix to patch the holes and travel down the road to
information assurance.