Man indicted for alleged military data hack using ColdFusion flaws, SQL attacks
Lauri Love, a 28-year-old UK man, was arrested at his home Friday.
A U.K. man, described by federal prosecutors as a “sophisticated and prolific computer hacker,” has been indicted for the alleged hack of U.S. Army and other government-run databases.
On Monday, Lauri Love, 28, was charged for his suspected involvement in breaching “thousands of computer systems in the United States and elsewhere” between October 2012 and this month in order to steal sensitive government data and personally identifiable information (PII), a release from the New Jersey U.S. Attorney's Office said.
On Friday, Love, a resident of Stradishall, England, was arrested at his home by British law enforcement cooperating with U.S. investigators.
Prior to his arrest, he was charged in a Newark federal court with one count of accessing a government computer without authorization and one count of conspiring to do so, an indictment unsealed on Monday revealed (PDF).
That same day, a complaint filed against Love in a federal court in Alexandria, Va. was unsealed (PDF). In Virginia, Love was charged with conspiracy to access and damage the protected computer of multiple U.S. government agencies.
According to the indictment unsealed in New Jersey, "the data stolen from the government victims include PII of military servicemen and servicewomen and current and former employees of the federal government," which resulted in millions of dollars in damages.
Over the past year, Love allegedly exploited vulnerabilities in Adobe ColdFusion and carried out SQL injection attacks to hack government databases with unnamed co-conspirators in Australia and Sweden.
After gaining access to the targeted networks, the group allegedly planted malware on government systems, which allowed them to maintain backdoor access to the compromised networks, court documents said.
Using the ColdFusion and SQL injection attack methods, the group is accused of stealing data from a long list of U.S. Army systems and other agencies and organizations, which include the U.S. Department of Defense's Missile Defense Agency, the National Aeronautics and Space Administration (NASA) and the Environmental Protection Agency (EPA).
In a press release, the New Jersey U.S. Attorney's Office published a short version of the alleged intrusions, listing the details in order of occurrence – including the organization affected, the type of attacks used and what kind of data was stolen as a result of the hacks.
In addition to PII stored on the affected databases, information such as defense program budgeting data and other sensitive military information was believed to have been accessed.
If convicted, Love could face up to 20 years in prison for charges brought against him in New Jersey and Virginia.