Related Content
Press Release
ALEXANDRIA, Va. – Lauri Love, 28, of Stradishall, England was charged in a criminal complaint unsealed today with conspiracy to access and damage the protected computer networks of multiple U.S. government agencies.
Dana J. Boente, Acting United States Attorney for the Eastern District of Virginia; Valerie Parlave, Assistant Director in Charge of the Federal Bureau of Investigation’s Washington Field Office; John R. Hartman, Deputy Inspector General for Investigations at the U.S. Department of Energy; and Nick DiGiulio, Special Agent in Charge, Office of Inspector General, U.S. Department of Health and Human Services, made the announcement after the unsealing of the criminal complaint in federal court.
Law enforcement authorities in the United Kingdom arrested Love at his residence on Friday, October 25, 2013, in connection with an ongoing investigation by the Cyber Crime Unit of the National Crime Agency. In addition, the United States Attorney’s Office for the District of New Jersey announced the unsealing of an indictment charging Love with allegedly infiltrating U.S. government computer systems—including those of the U.S. Army, U.S. Missile Defense Agency, Environmental Protection Agency, and National Aeronautics and Space Administration.
According to the criminal complaint filed in Virginia, between approximately October 2012 and August 2013, Love and his conspirators accessed without authorization protected computers belonging to the U.S. Department of Energy (DOE), U.S. Department of Health and Human Services (HHS), U.S. Sentencing Commission, and Regional Computer Forensics Laboratory. Love and his conspirators gained unauthorized access to the protected computers by exploiting a known vulnerability in Adobe ColdFusion, a software program that is designed to build and administer websites and databases. The vulnerability, which has since been corrected, allowed Love and his conspirators to access protected areas of the victims’ computer servers without proper login credentials—in other words, to bypass security on the protected computers.
After gaining unauthorized access to the protected servers, Love and his conspirators obtained administrator-level access to the networks using custom file managers, which allowed the conspirators to upload and download files, as well as create, edit, remove, and search for data. As detailed in the criminal complaint, Love and his conspirators used these techniques in order to engage in the following data breaches:
This was a joint investigation of the DOE and HHS Offices of Inspector General as part of the FBI Washington Field Office’s Cyber Task Force. Assistant United States Attorneys Ryan K. Dickey and Jay V. Prabhu are prosecuting the case on behalf of the United States.
Love faces a maximum penalty of 10 years’ imprisonment if convicted of the offenses charged in Virginia. Criminal complaints are only charges and not evidence of guilt. A defendant is presumed to be innocent until and unless proven guilty.
A copy of this press release may be found on the website of the United States Attorney’s Office for the Eastern District of Virginia at http://www.justice.gov/usao/vae. Related court documents and information may be found on the website of the District Court for the Eastern District of Virginia at http://www.vaed.uscourts.gov or on https://pcl.uscourts.gov.
Additional information regarding the charges filed in New Jersey may be obtained at http://www.justice.gov/usao/nj.