Man indicted for alleged military data hack using ColdFusion flaws, SQL attacks

Share this article:
Lauri Love, a 28-year-old UK man, was arrested at his home Friday.
Lauri Love, a 28-year-old UK man, was arrested at his home Friday.

A U.K. man, described by federal prosecutors as a “sophisticated and prolific computer hacker,” has been indicted for the alleged hack of U.S. Army and other government-run databases.

On Monday, Lauri Love, 28, was charged for his suspected involvement in breaching “thousands of computer systems in the United States and elsewhere” between October 2012 and this month in order to steal sensitive government data and personally identifiable information (PII), a release from the New Jersey U.S. Attorney's Office said.

On Friday, Love, a resident of Stradishall, England, was arrested at his home by British law enforcement cooperating with U.S. investigators.

Prior to his arrest, he was charged in a Newark federal court with one count of accessing a government computer without authorization and one count of conspiring to do so, an indictment unsealed on Monday revealed (PDF).

That same day, a complaint filed against Love in a federal court in Alexandria, Va. was unsealed (PDF). In Virginia, Love was charged with conspiracy to access and damage the protected computer of multiple U.S. government agencies.

According to the indictment unsealed in New Jersey, "the data stolen from the government victims include PII of military servicemen and servicewomen and current and former employees of the federal government," which resulted in millions of dollars in damages.

Over the past year, Love allegedly exploited vulnerabilities in Adobe ColdFusion and carried out SQL injection attacks to hack government databases with unnamed co-conspirators in Australia and Sweden.

After gaining access to the targeted networks, the group allegedly planted malware on government systems, which allowed them to maintain backdoor access to the compromised networks, court documents said.

Using the ColdFusion and SQL injection attack methods, the group is accused of stealing data from a long list of U.S. Army systems and other agencies and organizations, which include the U.S. Department of Defense's Missile Defense Agency, the National Aeronautics and Space Administration (NASA) and the Environmental Protection Agency (EPA).

In a press release, the New Jersey U.S. Attorney's Office published a short version of the alleged intrusions, listing the details in order of occurrence – including the organization affected, the type of attacks used and what kind of data was stolen as a result of the hacks.

In addition to PII stored on the affected databases, information such as defense program budgeting data and other sensitive military information was believed to have been accessed.

If convicted, Love could face up to 20 years in prison for charges brought against him in New Jersey and Virginia.

Share this article:

Sign up to our newsletters

More in News

Report: UK police push for required mobile phone PWs

The Metropolitan Police have reportedly lobbied for two years to enact the standard.

JPMorgan Chase customers targeted in massive phishing campaign

JPMorgan Chase customers targeted in massive phishing campaign

Roughly 500,000 emails have been sent out so far as part of a massive multifaceted phishing campaign targeting customers of JPMorgan Chase.

Study: Organizations lack training, budget to thwart insider threats

Study: Organizations lack training, budget to thwart insider ...

Of the 355 IT and security professionals surveyed, a majority indicated that they were ill-equipped to thwart a possible insider threat.