Alleged Hacker Charged In Virginia With Breaching Multiple Government Agency Computers
ALEXANDRIA, Va. – Lauri Love, 28, of Stradishall, England was charged in a criminal complaint unsealed today with conspiracy to access and damage the protected computer networks of multiple U.S. government agencies.
Dana J. Boente, Acting United States Attorney for the Eastern District of Virginia; Valerie Parlave, Assistant Director in Charge of the Federal Bureau of Investigation’s Washington Field Office; John R. Hartman, Deputy Inspector General for Investigations at the U.S. Department of Energy; and Nick DiGiulio, Special Agent in Charge, Office of Inspector General, U.S. Department of Health and Human Services, made the announcement after the unsealing of the criminal complaint in federal court.
Law enforcement authorities in the United Kingdom arrested Love at his residence on Friday, October 25, 2013, in connection with an ongoing investigation by the Cyber Crime Unit of the National Crime Agency. In addition, the United States Attorney’s Office for the District of New Jersey announced the unsealing of an indictment charging Love with allegedly infiltrating U.S. government computer systems—including those of the U.S. Army, U.S. Missile Defense Agency, Environmental Protection Agency, and National Aeronautics and Space Administration.
According to the criminal complaint filed in Virginia, between approximately October 2012 and August 2013, Love and his conspirators accessed without authorization protected computers belonging to the U.S. Department of Energy (DOE), U.S. Department of Health and Human Services (HHS), U.S. Sentencing Commission, and Regional Computer Forensics Laboratory. Love and his conspirators gained unauthorized access to the protected computers by exploiting a known vulnerability in Adobe ColdFusion, a software program that is designed to build and administer websites and databases. The vulnerability, which has since been corrected, allowed Love and his conspirators to access protected areas of the victims’ computer servers without proper login credentials—in other words, to bypass security on the protected computers.
After gaining unauthorized access to the protected servers, Love and his conspirators obtained administrator-level access to the networks using custom file managers, which allowed the conspirators to upload and download files, as well as create, edit, remove, and search for data. As detailed in the criminal complaint, Love and his conspirators used these techniques in order to engage in the following data breaches:
- From on or about July 24, 2013 through on or about August 8, 2013, Love and his conspirators gained unauthorized access to DOE’s protected computers. In an online conversation obtained by law enforcement, Love and his conspirators discussed the data breach in real time during the offense. Love commented, “they [the DOE] must have about 30k employees[,]” and he then copied the personal information of various employees from the protected computer to the online conversation.
- On or about December 24, 2012, Love and his conspirators gained unauthorized access to protected networks operated by HHS’s Health Resources and Services Administration and the National Institutes of Health.
- From on or about December 25, 2012 through on or about January 27, 2013, Love and his conspirators breached the U.S. Sentencing Commission’s servers, and after gaining unauthorized access, the conspirators altered the website to display a video that criticized the Sentencing Guidelines with respect to Internet-related crimes.
- From on or about January 11, 2013 through on or about February 14, 2013, Love and his conspirators gained unauthorized access to the computer networks of the Regional Computer Forensics Laboratory (RCFL), a national digital forensics lab and training center overseen by the FBI. Through the unauthorized access, Love and his conspirators successfully stole the personal information—including names, phone numbers, and e-mail addresses—of RCFL and FBI employees.
This was a joint investigation of the DOE and HHS Offices of Inspector General as part of the FBI Washington Field Office’s Cyber Task Force. Assistant United States Attorneys Ryan K. Dickey and Jay V. Prabhu are prosecuting the case on behalf of the United States.
Love faces a maximum penalty of 10 years’ imprisonment if convicted of the offenses charged in Virginia. Criminal complaints are only charges and not evidence of guilt. A defendant is presumed to be innocent until and unless proven guilty.
A copy of this press release may be found on the website of the United States Attorney’s Office for the Eastern District of Virginia at http://www.justice.gov/usao/vae. Related court documents and information may be found on the website of the District Court for the Eastern District of Virginia at http://www.vaed.uscourts.gov or on https://pcl.uscourts.gov.Additional information regarding the charges filed in New Jersey may be obtained at http://www.justice.gov/usao/nj.