11.2 Improve attack attribution and response

One of the major goals of information collection and analysis is to improve capabilities for attack attribution and response before, during, and after an incident. In many cases this may require international cooperation between law-enforcement agencies, as well as government and private-sector organizations of all types. The FBI and NIPC have participated with international partners to investigate many cyberthreats during the last several years. The following examples were presented on the FBI Web site.

Evidence of the prevalence of computers as tools in crime is apparent in the case of the Phonemasters, an international ring of hackers who were able to gain access to major telephone networks, portions of the national power grid, air traffic-control systems, and numerous databases. This hacker ring provided calling card numbers, credit reports, criminal records, and other data to individuals in Canada, the United States, Switzerland, and Italy who willing to pay for the information.

The investigation of this case required the capture of Phonemasters' data communications under a Title III order and was successfully accomplished by collecting and analyzing the analog modem signals from the target phone lines. Phonemasters suspects Calvin Cantrell and Cory Lindsay were convicted in September 1999 for theft and possession of unauthorized access devices and unauthorized access to a federal-interest computer. Cantrell was sentenced to two years in prison while Lindsay received a sentence of 41 months.

Another example is the Solar Sunrise case, the code name for a multiagency investigation of intrusions into more than 500 military, civilian government, and private-sector computer systems in the United States during February and March 1998. The intrusions took place during the build-up of U.S. military personnel in the Middle East in response to tensions with Iraq over United Nations weapons inspections. The intruders penetrated at least 200 unclassified U.S. military computer systems, including seven air force bases and four navy installations; Department of Energy National Laboratories; NASA sites; and university sites. The timing of the intrusions and the fact that some activity appeared to come from an ISP in the Middle East led many U.S. military officials to suspect that this might be an instance of Iraqi information warfare.

The NIPC coordinated an extensive interagency investigation involving FBI field offices, the DOD, NASA, Defense Information Systems Agency, Air Force Office of Special Investigations, the DOJ, and the intelligence community. Internationally, NIPC worked closely with the Israeli law enforcement authorities. Within several days, the investigation determined that two juveniles in Cloverdale, California, and individuals in Israel were the perpetrators. This case demonstrated the critical need for an interagency center to coordinate our investigative efforts to determine the source of such intrusions and the need for strong international cooperation. Israeli authorities are preparing to prosecute the chief defendant in their case in the summer of 2000.

Other cases demonstrate how much international cooperation has improved in this area. In February 2000, the NIPC received reports that CNN, Yahoo!, Amazon.com, eBay, and other e-commerce sites had been subject to distributed denial-of-service (DDOS) attacks. The NIPC had issued warnings in December 1999 about the possibility of such attacks and even created and released a tool that victims could use to detect whether their systems had been infiltrated by an attacker for use against other systems. When attacks did occur in February, companies cooperated with the NIPC and our National Infrastructure Protection and Computer Intrusion Squads in several FBI field offices (including Los Angeles and Atlanta) and provided critical logs and other information.

Within days, the FBI and NIPC had traced some of the attacks to Canada and subsequently worked with the Royal Canadian Mounted Police (RCMP) to identify the suspect. The RCMP arrested a juvenile subject in April 2000, and charges are expected to be brought shortly for at least some of the attacks. The unprecedented speed and scope of this investigation was evidence of the great improvement made in our ability to conduct largescale, complex international investigations.

Another example involves the compromise between January and March 2000 of multiple e-commerce Web sites in the United States, Canada, Thailand, Japan, and the United Kingdom by a hacker known as Curador. Curador broke into the sites and apparently stole as many as 28,000 credit card numbers with losses estimated to be at least $3.5 million. Thousands of credit card numbers and expiration dates were posted to various Internet Web sites. After an extensive investigation, on March 23, 2000, the FBI assisted the Dyfed Powys (Wales, United Kingdom) Police Service in a search at the residence of Curador, whose real name is Raphael Gray. Mr. Gray, age 18, was arrested in the United Kingdom, along with a coconspirator, under the United Kingdom's Computer Misuse Act of 1990.