Cisco theft was the tip of iceberg

IHT - NY Times: "The incident seemed alarming enough: a breach of a Cisco Systems network in which an intruder seized programming instructions for many of the computers that control the flow of the Internet. Now U.S. officials and computer security investigators have acknowledged that the break-in last year was part of a more extensive operation - involving a single intruder or a small band, apparently based in Europe - in which thousands of computer systems were similarly penetrated.

Investigators in the United States and Europe say they spent almost a year pursuing the case as the attacks continued, breaching computer systems serving the U.S. military, the National Aeronautics and Space Administration and prominent research laboratories.

The U.S. investigators received assistance from law enforcement and computer security officials in Ireland, the Czech Republic, Switzerland, Germany, France, Croatia and Sweden.

The break-ins exploited security holes that the authorities say have been plugged, and beyond the Cisco theft, it is not clear how much data was taken or destroyed. Still, the case illustrates not only the ease with which sensitive Internet-connected computers can be penetrated but also the difficulty in tracing hackers. Government investigators and other computer specialists sometimes watched helplessly while monitoring the activity, unable to secure some systems as quickly as others were found to be compromised.

In one case, a university researcher in California carried on an e-mail exchange with an intruder identifying himself as Stakkato, claiming specific breaches of U.S. military computers. Their exchange ended with the intruder, out of pique, erasing the researcher's computer directory and destroying her e-mail.

The case remains under investigation. But attention is focused on a 16-year-old in Uppsala, Sweden, who was charged in March with breaking into university computers in his hometown. Investigators in the U.S. break-ins ultimately traced the intrusions back to the Uppsala university network. Computer experts said the primary intruder was particularly clever in the way he had organized a system for automating the theft of computer log-ins and passwords, conducting attacks through a complicated maze of computers connected to the Internet in as many as seven countries.

The intrusions were first publicly disclosed in April 2004 when several supercomputer laboratories in the United States acknowledged break-ins into computers connected to the TeraGrid, a high-speed optical data network.

The theft of the Cisco software was discovered last May when a small team of security specialists at the supercomputer laboratories, trying to investigate the intrusions there, watched electronically as passwords to Cisco's computers were compromised.

After discovering the theft of the passwords, the security officials notified Cisco executives of the potential threat. But the company's software was taken almost immediately, before the company could respond. Shortly after being stolen last May, a portion of the Cisco programming instructions appeared on a Russian Web site. "