HackingNASA official says hackers gained “full functional control”

Published 9 March 2012

Last week NASA officials disclosed details about the alarming extent that hackers were able to penetrate the agency’s networks

Last week NASA officials disclosed details about the alarming extent that hackers were able to penetrate the agency’s networks.

Testifying before Congress, Paul Martin, NASA’s Inspector General, said the agency’s networks were targeted forty-seven times by sophisticated attacks and of those attempts thirteen were successful. More troublingly, during the attacks, hackers gained “full functional control” of critical NASA networks including the International Space Station.

In addition, one attack originating from China last November resulted in the complete loss of control of critical systems and employee accounts at NASA’s Jet Propulsion Laboratory. Hackers gained full system access including the ability to modify, copy, and delete sensitive files as well as upload malicious code for further attacks. The hackers stole 150 personal credentials and the attack is still under investigation.

Meanwhile another breach occurred last March when an unencrypted NASA computer containing algorithms to control the International Space Station was stolen. The agency maintains that the space station was not in danger.

NASA is frequently targeted by hackers as it is seen as one of the most prestigious technological labs in the United States, and for state-sponsored hackers and criminals, the agency’s valuable strategic information is highly prized. As a result, NASA spends nearly one-third of its $1.5 billion IT budget on cybersecurity, yet Martin noted in his testimony that only 1 percent of the agency’s portable devices and laptops were encrypted.

These unencrypted devices, as evidenced by the Space Station attack, can contain treasure troves of critical information as well as other passwords that can lead to future attacks. Between April 2009 and April 2011, nearly fifty unencrypted devices were stolen, compromising data from NASA’s Constellation and Orion programs as well as personal data like employees’ Social Security numbers.

Furthermore, Martin admitted that the agency did not move quickly enough to prevent hackers from exploiting credentials after the devices were stolen.

The Inspector General’s testimony also revealed that last year the agency detected more than 5,408 incidents of malicious software or unauthorized access of its computers, which cost NASA more than $7 million.