A 28-year-old British man whom prosecutors described as a “sophisticated and prolific computer hacker” has been charged in connection with cyberattacks in which he illegally accessed the personal information of U.S. soldiers and government employees, and obtained other information about budgets, contracts and the demolition of military facilities, authorities said Monday.
Lauri Love was taken into custody Friday at his home in Stradishall, England, and faces charges in federal courts in Virginia and New Jersey in the attacks, which authorities said caused millions of dollars in losses. Apparently motivated by a desire to wreak havoc on the U.S. government, Love and those working with him were able to infiltrate the computer systems of entities including the Environmental Protection Agency and the Missile Defense Agency, authorities said in court records.
Love is accused of planning the attacks, which spanned from October 2012 through August, with others in online chats. The group members used somewhat sophisticated techniques known as “SQL injection” attacks and “ColdFusion” exploits, and they left themselves surreptitious paths back into government computer systems after they first accessed them, authorities said.
The group targeted federal Web sites and systems they thought might be weak, including those for the Department of Health and Human Services, the U.S. Sentencing Commission and the Department of Energy, court records say. Among the data accessed were information about the demolition of military facilities, stolen from U.S. Army Corps of Engineers servers; competitive bid data, stolen from an Army Contracting Command database; and defense program budgeting data, stolen from the military’s Plans, Analysis, and Integration Office, according to an indictment in the case.
The group is also accused of stealing the personal information of more than 4,000 people in a Missile Defense Agency database and similar information on NASA employees. In one online chat, Love, who sometimes used the handle “peace,” boasted that he had swiped “basically every piece of information you’d need to do full identity theft on any employee or contractor,” according to the indictment.
In the case of the Sentencing Commission, court records say, the aim of the group was more political: It altered the commission’s Web site to display a video criticizing the sentencing guidelines for Internet-related crimes.
It is unclear whether the hackers accessed information that might specifically endanger national security; a Defense Department spokesman said hackers try to penetrate the agency’s networks daily, and the indictment illustrates that “the cyber threat presents a significant risk to national security and military operations.” Officials said in a statement that any breaches should be treated seriously.
“Computer intrusions present significant risks to national security and our military operations,” Daniel Andrews, director of the U.S. Army Criminal Investigation Command’s Computer Crime Investigative Unit, said in the statement.
It was second time in recent weeks that federal prosecutors in Virginia brought charges against suspected hackers. Early this month, they charged 13 alleged members of the hacking group Anonymous in connection with cyberattacks that the collective launched in 2010 against anti-piracy groups and financial institutions unwilling to process donations to the anti-secrecy organization WikiLeaks.
Lauri, who is charged with accessing a U.S. department or agency computer without authorization and related conspiracy counts, could not immediately be reached for comment. No attorney was listed for him in court records.