NASA: Hackers had 'full functional control'

NASA: Hackers had 'full functional control'

Summary: NASA this week released details of security breaches the organization has recently experienced. Out of 47 attempts last year, hackers managed to penetrate NASA's computer network 13 times.

SHARE:
TOPICS: CXO, Networking, Security
11

The National Aeronautics and Space Administration (NASA) has finally revealed how badly it was attacked by hackers last year. The space agency's Inspector General Paul Martin explained in a testimony to Congress how NASA's computer network was penetrated by hackers at least 13 times in 2011.

Furthermore, one China-based breach in November resulted in total control of crucial systems and employee accounts at NASA's Jet Propulsion Laboratory (JPL), including full system access, the ability to modify/copy/delete sensitive files, and even upload hacking tools for wreaking further havoc. The personal credentials of 150 employees were stolen. The attack involving Chinese IP addresses is still under investigation.

Here's an excerpt of the 10-page report, titled "NASA Cybersecurity: An Examination of the Agency’s Information Security" (PDF), written by the Office of Inspector General (OIG):

In FY 2011, NASA reported it was the victim of 47 APT attacks, 13 of which successfully compromised Agency computers. In one of the successful attacks, intruders stole user credentials for more than 150 NASA employees – credentials that could have been used to gain unauthorized access to NASA systems. Our ongoing investigation of another such attack at JPL involving Chinese-based Internet protocol (IP) addresses has confirmed that the intruders gained full access to key JPL systems and sensitive user accounts. With full system access the intruders could: (1) modify, copy, or delete sensitive files; (2) add, modify, or delete user accounts for mission-critical JPL systems; (3) upload hacking tools to steal user credentials and compromise other NASA systems; and (4) modify system logs to conceal their actions. In other words, the attackers had full functional control over these networks.

Another security failure occurred in March, when an unencrypted NASA notebook computer containing algorithms to command and control the International Space Station, was stolen. NASA insists the station was never in any jeopardy. The report also noted that only 1 percent of NASA's mobile computing devices are encrypted, and 48 were stolen between April 2009 and April 2011.

In a separate event, hackers grabbed the user credentials belonging to more than 150 employees, which in turn could have been used to gain unauthorized access to NASA systems. Martin admitted the agency failed to move quickly enough to ensure those hackers wouldn't be able to take advantage of the credentials.

Martin's report further reveals that NASA saw more than 5,408 incidents of malicious software or unauthorized access of its computers between October 1, 2010, and September 30, 2011. NASA estimated the total cost of these security incidents at more than $7 million. The written testimony was delivered Wednesday to a hearing of the House Committee on Science, Space and Technology's Subcommittee on Investigations and Oversight.

OIG investigators have conducted more than 16 separate investigations of NASA computer network breaches over recent years. The motivation of the hackers ranged from "individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services." Hacking suspects have been arrested in China, Estonia, Great Britain, Italy, Nigeria, Portugal, Romania, and Turkey.

"NASA has made significant progress to better protect the agency's IT systems and is in the process of implementing the recommendations made by the NASA Inspector General in this area," a NASA spokesperson said in a statement.

See also:

Topics: CXO, Networking, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • RE: NASA hack

    It would sure be be a bummer if they shut off the toilet !
    preferred user
    • RE: NASA hack

      But wait..
      Those $200 toilet seats can be had for $5 @ Wally World now.
      Just think how much our government can save!
      sfaid
  • Rehashing Old News

    House Committees, especially when they are Republican-led, are usually worse than a GONBS (Guy on next barstool) in terms of, shall we say, "completeness" in releasing supposedly investigative reports. In this case, they seem to be rehashing bit and pieces from already publicly available, and much more detailed audits and reports from last year, especially one from late last spring rather descriptively titled "Inadequate Security Practices Expose Key NASA Network to Cyber Attack"
    JustCallMeBC
  • This is why it is imperative to proceed with the 'smart grid'

    All of our utilities, including electricity, natural gas and water, should be accessible from the internet. Without delay!
    Rabid Howler Monkey
  • Only 47 yeah right ok NOT

    Let's see NASA only decided to acknowledge 47 attacks, how many do you suppose they don't know about? And perhaps the title of this article should be (what happens to unencrypted NASA notebook computer).

    And of course at the end, I take great confidence in knowing that NASA is taking advice on fixing these problems from the NASA Inspector General.

    I'm to guess that this Inspector General is a new position recently concocted, because if this person was there at the time, they should have had these changes in place. And only 1 percent of NASA mobile devices are encrypted? That's too funny.
    deafears
  • that's the price paid

    for not using FOSS!
    The Linux Geek
  • Wha happened??

    First, I thought NASA was closing down. Why are they so interested in secrets from a skeleton agency? Second, how is it that America is not prepared, and properly defended against, attacks like this? Is Chinese (or whomever's) IT so much further along than ours that we can just say "oops, wha happened?".....this is ridiculous.
    James Keenan
  • Tell OIG to Listen to Richard Clarke

    Per another ZDNet blog:
    Richard Clarke: China has hacked every major US company

    This is only the tip of a HUGE iceberg.

    It is cyberwar if any substantial proportion of the 47 NASA breaches are all from a single country.

    Be informed.
    Any small high-tech Co CEO's with good technology in house? Get protected!
    daves1646
  • Cyber War?

    We haven't got there yet.
    We still prefer to put soldiers on the ground in some foreign country to be blown up, and mentally traumatized at a lifetime cost of a couple million each on average.
    We should be paying little Johnny Hacker +$70k a year at 18 to sit home and hack the 4377 out of China. Crash everything in China that is network accessible!
    They complain, bring our cards to the table with proof they are doing it to us.
    sfaid
    • Fight fire w/fire...?

      Well, SFAID, you're right about the use of our military and I certainly think that we (the U.S.) need to be MUCH better prepared, defended, and educated than we are regarding cyber security. But at the same time, I'm not sure that paying "little Johnny Hacker" to stick his red, white, and blue finger in China's eye is the best answer (although it would be fun as "4377"...)

      What if we (aka "politicians") spent as much time and money on securing our internet infrastructure as we ("they") do on trying to regulate it and make a profit from it? Or, just for $h!+s and grins, maybe we could actually EDUCATE instead of MEDICATE our children so that when Little Johnny grows up, he'll have the intellectual capacity to save us from ourselves... sigh, so much to do, so little potential to get it done...
      BET7139
  • Security

    This is not the 1st goverment agency that does not encrypt their data. IRS,FBI and the DOD just to name a few. Encrypting is easy to do and it makes it difficult to crack. Why won't they do it is beyond me. Even Microsoft offers some encryption on Windows Vista and all operating systems since.

    Pretty sad :(
    pc boss