Hacking group AnonSec released 250 GB of data on pastebin and other sites on Sunday that it says proves it at least partially commandeered a $222.7 million NASA drone and for months pilfered information from the space agency's systems even as NASA says the claims are untrue.
In a 300-page “zine,” the Anonymous affiliate said it had essentially purchased access to NASA's systems through a third party and used a privileged user account whose credentials were still set to default. The group pilloried NASA for its poor security and for failing to monitor its systems.
"People might find this lack of security surprising, but it's pretty standard from our experience,” the group wrote. "Once you get past the main lines of defense, it's pretty much smooth sailing propagating through a network as long as you can maintain access. Too many corporations and governments focus 99 percent on preventing intruders instead of having viable solutions once there is a security breach, which is guaranteed to happen."
Matt Harrigan, president and CEO of PacketSled, in comments emailed to SCMagazine.com, called the alleged hack “a pretty huge wakeup call for anyone operating a network with sensitive data.”
About 150 GB of the data included logs from the Global Hawk drone program and information on more than 2,400 NASA staff, including their names and email addresses. The hacking group has contended that it was in NASA's systems for months.
“If NASA had even had the basics in place, this attack would not have gone unnoticed for this period of time," Harrigan noted.
But in a statement sent to several news outlets, NASA remained confident that the Global Hawk drone had not been compromised. “NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data,” Forbes quoted the statement as saying. “NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations.”