Get the latest updates as we post them — right on your browser

. Last Updated: 07/27/2016

Pentagon Hacked, Russians Suspected

WASHINGTON -- In what appears to be the most extensive cyber-attack ever aimed at the U.S. government, covert hackers apparently working from Russia have systematically broken into Defense Department computers for more than a year and plundered vast amounts of sensitive information, U.S. officials said.

Besides penetrating the Pentagon's defenses, the cyber-thieves have raided unclassified computer networks at Energy Department nuclear weapons and research labs, at the National Aeronautics and Space Administration and at numerous university research facilities and defense contractors, officials said.

No top-secret classified data is known to have been stolen, however.

Despite an intense FBI-led inquiry code-named "Moonlight Maze," investigators so far have failed to identify the hackers or to confirm whether espionage is the motive. But circumstantial evidence points heavily toward a Russia-based intelligence-gathering operation, officials said.

"The intrusions appear to have originated in Russia," Michael Vatis, director of the FBI's National Infrastructure Protection Center, told a Senate subcommittee Wednesday in the first public confirmation of Moonlight Maze. He said the intruders stole "unclassified but still sensitive information about essentially defense technical research matters."

Other officials said at least some of the attacks were traced to Internet servers located about 30 kilometers from Moscow. And the pattern of intrusions suggests that they involve someone working in an office: They occurred on weekdays between 8 a.m. and 5 p.m. Moscow time - but not on Russian holidays.

"There are very strong indications and it's our belief that it's coming from Russia and that it may be a sponsored [intelligence] activity," a senior Energy Department official said in an interview. "This is not random. It's organized."

The Foreign Intelligence Service, or SVR, denied that Russian spies were behind the cyber-attacks, saying they probably would have been clever enough not to allow themselves to be traced.

"As I understand, apparently they determined the route of the infiltrations, and the requests came from Moscow," SVR spokesman Boris Labusov said.

"Do you think Russian special services are so stupid as to engage in such activities directly from Moscow? ... For decades, everybody has written about how clever the KGB and Soviet intelligence are. Why should one think we suddenly became less clever in the last few years?"

He said the culprits could have been amateur computer hackers seeking thrills, or even intelligence agents from a third country acting out of Moscow to avoid detection.

No classified computers are known to have been breached and no networks have been damaged. But the U.S. government's unclassified networks contain huge troves of confidential and sensitive data that are potentially valuable to foreign governments, terrorist groups and private companies, officials said.

Defense Department networks, for example, carry records about military logistics, planning, purchases, payrolls and personnel, as well as routine e-mail between Pentagon personnel.

"It's the magnitude of the extraction that is alarming to us," Arthur Money, assistant secretary of defense for command, control, communications and intelligence, said. The hackers, he noted, "can get insight into sensitive operations" even from unclassified files.

Money said the cyber-assault has so compromised the Pentagon's main unclassified computer system, the Non-Classified Internet Protocol Router Network, that after this month, all NIPRNET communications will be routed through eight large electronic gateways that will be easier to monitor. Access now can be gained through thousands of "backdoor" connection points around the globe, he said in an interview.

The Pentagon also has ordered $200 million in new encryption technology, as well as upgraded intrusion-detection devices and computer "fire walls," to prevent unauthorized use of NIPRNET. Even passwords will be encrypted.

At NASA, the Moonlight Maze attacks are "massive, really very massive," and "very, very surreptitious," NASA Inspector General Roberta Gross said in an interview.

Officials said the intensity of the intrusions has declined since last spring and summer, when the U.S. Navy first documented the use of "low-bandwidth attacks" and the Federal Bureau of Investigation recommended countermeasures to network administrators. It is not clear if more recent intrusions have come from the same source or if the original hackers have developed new tactics to hide their tracks.

One U.S. intelligence veteran, now a Senate staff member, said the Internet has created huge new opportunities, as well as frightening vulnerabilities, for spy agencies around the world.

"Think of it," he said. "You can sit anywhere in the world now and run an espionage operation. You find the name of a scientist at a nuclear lab, for example. Get his credit ratings, his bank statement, his school records, his mortgage, his insurance, his hospital records. Probe for weaknesses."

That doesn't mean the Russian government is necessarily responsible for the Moonlight Maze attacks. A senior White House official said that the evidence so clearly points to Russia that it almost suggests a deliberate diversion.

"Some people think it's meant to draw our attention away from other things," the official said. "Some people think it's designed to test our reaction."

Other intelligence experts argued that skilled hackers hired by Russian organized-crime elements may be probing for commercially valuable information. Some of the files apparently stolen include bidding documents and contracts. Some experts suggested that France, a long-time proponent of economic espionage, may be the ultimate customer. That theory also remains unproven, however.

"It merely demonstrates the challenge of cyberspace," said Frank Cilluffo, deputy director of the global organized-crime project at the Center for Strategic and International Studies, a Washington think tank. "Who's behind the clickety-clack of a computer? It could be a block away and made to look like it's coming from halfway around the world."

It wouldn't be the first time.

U.S. government computer networks and web sites were bombarded with attacks that appeared to be coming from China after a U.S. warplane mistakenly bombed the Chinese Embassy in Belgrade during the Kosovo conflict last spring. The White House official said that a subsequent inquiry found many of the attacks had originated in the United States, however, and had been "bounced" off Chinese Internet servers.