Serbs launch cyberattack on NATO

Unidentified Serbian computer hackers last week successfully denied public access to the main World Wide Web server supporting the public affairs apparatus of the United States-led NATO operation in Kosovo, rendering the server virtually inoperable for several days.

The attack was launched against the NATO headquarters' Web server in Brussels, Belgium, and included an e-mail attack from Yugoslavia that clogged NATO's e-mail server with 2,000 messages a day.

Chris Scheurweghs, head of NATO's Integrated Data Service, which is responsible for providing public information on the NATO operation over the Internet, late last week said the attacks were ongoing but that NATO was beginning to take control of the situation. He also said the attacks now appear to be coming from all over the world.

NATO spokesman Jamie Shea said hackers in the Yugoslavian capital, Belgrade, attacked the Web site by launching what is known as a "Ping bombardment strategy." Ping, short for Packet Internet Groper, refers to the practice of sending out a packet of information to a server and waiting for a response, which is a way for users to determine whether a system is up and running on the Internet.

However, in this case, the hackers sent enough pings to overwhelm the server so it could not respond to other users.

According to Scheurweghs, hackers also attacked NATO's e-mail systems with the Happy 1999 macro virus, which he said was similar in function but far less devastating than the Melissa virus that wreaked havoc in the United States last week (see story).

Scheurweghs said the Happy 1999 macro virus changes a computer's Microsoft Corp. Windows Sockets application program interface, which allows Windows programs to interface with the Internet, and launches an executable file that crashes screens with a fireworks display.

Sources also told FCW that hackers, who appeared to hold similar anti-NATO views, carried out several "clumsy" attempts to break into several public Pentagon Web sites. There also have been reports of an intrusion attempt against the White House network.

In response to the attack against its systems NATO has taken steps to upgrade all of its servers from Sun Microsystems Inc. Sparc-20 servers to Ultra-Sparc systems, which have more processing power and so will be harder to overwhelm. Additionally, the office has coordinated with its Internet service provider to develop filters that would block the malicious e-mail messages, Scheurweghs said. In addition, NATO has disabled all Internet services except Hypertext Transfer Protocol and e-mail, he said.

John Pike, a defense and intelligence analyst with the Federation of American Scientists, Washington, D.C., characterized the attack as a "Ping of death" from Serbia. "This attack was launched against the Web site that has been the primary source of information about what's going on," including transcripts of briefings and bomb damage assessments, Pike said. "This is a textbook example that will be cited from now on as a low-cost, high-value attack."

Dan Kuehl, a professor at the School of Information Warfare and Strategy at the National Defense University, called the e-mail attack "a step up the [food] chain" from Web site hacks because e-mail attacks can affect the performance and capability of the organization. "If someone gets into the logistics control network, that would be a third step up the ladder, because in this era of just-in-time supply you might be able to directly impact ongoing operations."

Although Scheurweghs said he could not comment on whether NATO would approach the United States for assistance from the Defense Information Systems Agency's Joint Task Force for Computer Network Defense, he did say that his organization is trying to identify alternative procedures to lessen the burden on his two-person staff.

A spokeswoman for the JTF-CND said that the newly created task force, which is responsible for tracking and responding to suspicious and potentially harmful activity on DOD networks, was aware of the attack against NATO but has not been involved in helping to counter it.

"There are two lessons that governments everywhere have learned from these attacks," Scheurweghs said. "First, we will have to invest much more in security, and...the Internet is no longer just a side issue."