Hackers Had ‘Full Control’ of Hijacked Nasa Network

Nasa spends only $58m of its $1.5bn annual IT budget on cyber security, Paul Martin, the agency’s inspector general, told a Congressional panel on NASA security.

“Some Nasa systems house sensitive information which, if lost or stolen, could result in significant financial loss, adversely affect national security, or significantly impair our nation’s competitive technological advantage,” Martin said in testimony before the US House Committee on Science, Space and Technology.

He said the agency discovered in November that hackers working through a Chinese-based IP address broke into the network of Nasa’s Jet Propulsion Laboratory and gained “full functional control” of computers.

He said their access allowed them to modify, copy, or delete sensitive files, create user accounts for mission-critical JPL systems and upload hacking tools to steal user credentials and compromise other Nasa systems. They were also able to modify system logs to conceal their actions, Mr Martin said.

“Our review disclosed that the intruders had compromised the accounts of the most privileged JPL users, giving the intruders access to most of JPL’s networks,” he added.

In another attack last year, intruders stole credentials for accessing Nasa systems from more than 150 employees.

Martin said the agency has moved too slowly to encrypt or scramble the data on its laptop computers to protect information from falling into the wrong hands.

Unencrypted notebook computers that have been lost or stolen include ones containing codes for controlling the International Space Station as well as sensitive data on Nasa’s Constellation and Orion programs and Social Security numbers, Martin said.

Nasa was one of the organisations breached by the British hacker and Asperger’s sufferer Gary McKinnon in 2001 and 2002. He is still battling extradition to the US.