A series of sophisticated attempts to break into Pentagon computers
has continued for more than three years, and an extensive
investigation has produced "disturbingly few clues" about who is
responsible, according to a member of the National Security Agency's
The NSA consultant, James Adams, says U.S. diplomats lodged a formal
protest with the Russian government last year after investigators
determined that the cyber attacks, which they code-named "Moonlight
Maze," appear to have originated from seven Russian Internet
addresses. But Russian officials replied that the telephone numbers
associated with the sites were inactive and denied any prior knowledge
of the attacks, according to Adams.
"Meanwhile, the assault has continued unabated," Adams wrote in this
month's Foreign Affairs magazine, published by the Council on Foreign
Relations. "The hackers have built 'back doors' through which they can
re-enter the infiltrated systems at will and steal further data; they
have also left behind tools that reroute specific network traffic
Adams described Moonlight Maze as "the most persistent and serious
computer attack against the United States to date." He also disclosed
that it has triggered "the largest cyber-intelligence investigation
But U.S. investigators, he wrote, still do not know "who is behind the
attacks, what additional information has been taken and why, to what
extent the public and private sectors have been penetrated, and what
else has been left behind that could still damage the vulnerable
Both the FBI and the U.S. Space Command, which has primary
responsibility for defending Pentagon computers, declined comment. But
one source close to the case confirmed that the attacks are continuing
and said U.S. investigators know far more about them than Adams
A State Department official also confirmed that a dmarche was issued
to the Russians over the apparent attempts at computer espionage.
U.S. defense and intelligence officials have expressed increasing
concern about the possibility that foreign countries or terrorists
might use cyber-attacks to counter America's overwhelming military
Ronald L. Dick, director of the FBI's National Infrastructure
Protection Center, told Congress last month that the military services
recorded more than 1,300 serious cyber-attacks in 1999 and 2000. The
FBI, he said, has 1,219 pending cases involving cyber-crime, including
102 "computer intrusions into government systems."
Many cyber-attacks are mainly nuisances. They involve defacing Web
pages or trying to overwhelm servers, which can be costly but do not
threaten government secrets.
Moonlight Maze is different. It was first uncovered in March 1998,
when network security specialists at the Defense Information Systems
Agency discovered that attackers had entered unclassified Pentagon
networks through a technique known as "tunneling," in which malicious
codes, or instructions, are embedded within programs for routine
computer operations. Because the attackers' commands are disguised in
this fashion, they are difficult for systems administrators to detect.
A General Accounting Office report on the Pentagon's computer
security, issued in March, described Moonlight Maze as "a series of
recurring, 'stealth-like' attacks . . . that federal incident-response
officials have attributed to foreign entities and are still
A year and a half ago, in the government's first official comment on
the case, the FBI's top computer security official, Michael A. Vatis,
told Congress that attacks appearing to originate in Russia had stolen
"unclassified but still sensitive information about essential defense
technical research matters."
Officials at the Pentagon and NSA have called the intrusions "massive"
and said they caused significant disruptions on important but
unclassified government networks, including the Pentagon's
Non-Classified Internet Protocol Router Network, or NIPRNET.
Dion Stempfley, a former Pentagon computer security analyst who helped
detect Moonlight Maze, said Friday that he was not surprised that the
attacks were continuing, given the sophistication of the attackers'
Now a principal security engineer at Riptech Inc., a computer security
firm, Stempfley said U.S. law enforcement officials initially decided
to track the attacks only "passively."
Part of their caution stemmed from legal concerns about whether
"hack-backs" that might have crippled the intruders' capabilities
could have been construed as an act of war, if the intruders were
state-sponsored, he said.
Stempfley said the sophistication and persistence of the Moonlight
Maze attacks are not necessarily signs of state sponsorship, because
many hackers demonstrate both skill and stubbornness. But the
continuation of the attacks, Stempfley said, could be an indication
that Moonlight Maze is "state allowed," meaning that Russian
authorities are permitting, if not directing, the attacks.
Fred Cohen, a computer security expert at Sandia National Laboratories
in Albuquerque, said he was not surprised that the attacks have
continued. But there is nothing so sophisticated about Moonlight Maze
that federal security officials cannot protect their networks, Cohen
"If somebody is into a system and you want to stop them, you can stop
them," he said.
By Vernon Loeb
Washington Post Staff Writer
Monday, May 7, 2001; Page A02