A U.K. hacker stole “massive amounts” of confidential data from the U.S. Army and the U.S. Missile Defense Agency, including service members’ personal information, the U.S. said.
Lauri Love, 28, and others also breached computer systems at the Environmental Protection Agency and the National Aeronautics and Space Administration, according to Paul Fishman, the U.S. attorney in New Jersey. Love was arrested Oct. 25 at home in Stradishall, England, said Fishman on Monday.
“They stole military data and personal identifying information belonging to servicemen and women,” Fishman said in a statement. “Such conduct endangers the security of our country and is an affront to those who serve.”
Love stole identifying information of workers at NASA, the Missile Defense Agency and the Army Network Enterprise Technology Command, according an indictment unsealed today in federal court in Newark, New Jersey. Criminal complaints also were unsealed in Newark and Alexandria, Va.
The hackers also stole data on the demolition and disposal of military facilities, natural resource management, defense program budgeting data and nonpublic competitive acquisition bid data, according to Fishman.
Love also hacked into computers at the U.S. Department of Health and Human Services, Energy Department, Sentencing Commission and Regional Computer Forensics Laboratory, according to a complaint unsealed in Alexandria. He stole personal information about employees of the computer forensics laboratory and the Federal Bureau of Investigation, according to an arrest complaint filed by the FBI.
Love’s arrest came in connection with an investigation by the U.K.’s National Crime Agency, according to Fishman. He faces as long as five years in prison on the New Jersey charges.
The hacking “substantially impaired the functioning of dozens of computer servers” and caused millions of dollars in damage to government agencies, according to the indictment.
Love conspired with two people in Australia and a resident of Sweden from October 2012 to this month, prosecutors said.
“Computer intrusions present significant risks to national security and our military operations,” Daniel Andrews, director of the U.S. Army Criminal Investigation Command’s computer crime investigative unit, said in a statement.
In some attacks, the hackers found weaknesses in Structured Query Language, a type of programming language, the U.S. said. In others, they attacked a Web application platform known as Coldfusion. They placed malicious code that let them maintain access through a so-called back door or shell, according to the indictment.
They communicated using secure Internet chat rooms, where they frequently changed online monikers, prosecutors said.
On Dec. 25, Love began a monthlong hack of computers at the Sentencing Commission, according to an FBI complaint. The commission sets sentencing policies for federal courts, including guidelines for various federal crimes.
Love and his conspirators “altered the website to display a video that criticized the guidelines with respect to Internet-related crimes,” according to the FBI complaint. As a result, the site was unavailable for three weeks.
Love left several clues about his hacks, according to the FBI. In October 2012, he originated a hack from an Internet domain he owned, according to subscriber and financial records cited by the FBI. Love paid for the domain with a PayPal Inc. account registered to firstname.lastname@example.org, the FBI said.
The PayPal payment originated from an Internet Protocol address associated with his U.K. address, the FBI complaint said.
The indictment is U.S. v. Love, U.S. District Court, District of New Jersey (Newark). The FBI complaint is U.S. v. Love, 13-mj-00657, U.S. District Court, Eastern District of Virginia (Alexandria).