Solar Sunrise

SOLAR SUNRISE was a series of DoD computer network attacks which occurred from 1-26 February 1998. The attack pattern was indicative of a preparation for a follow-on attack on the DII. DoD unclassified networked computers were attacked using a well-known operating system vulnerability. The attackers followed the same attack profile: (a) probing to determine if the vulnerability exists, (b) exploiting the vulnerability, (c) implanting a program (sniffer) to gather data, and (d) returning later to retrieve the collected data.

At least eleven attacks followed the same profile on Air Force, Navy, and Marine Corps computers worldwide. Attacks were widespread and appeared to come from sites such as: Israel, the United Arab Emirates (UAE), France, Taiwan, and Germany. The attacks targeted key parts of the defense networks and obtained hundreds of network passwords. Although all DoD targeted systems were reported as unclassified, many key support systems reside on unclassified networks (Global Transportation System, Defense Finance System, medical, personnel, logistics, and official e-mail).

DoD established a 24-hour emergency watch, installed intrusion detection systems on key nodes, and assisted law enforcement in computer forensics and investigation. SOLAR SUNRISE confirmed earlier ELIGIBLE RECEIVER findings: DoD has no effective indications and warning system, intrusion detection systems are insufficient, DoD is not organized effectively for IO, and that identifying the threat group and motives is a problem.

These attacks occurred when the U.S. was preparing for potential military action against Iraq due to UN weapons inspection disputes and could have been aimed at disrupting deployments and operations. So who was behind these attacks --Iraq, terrorists, foreign intelligence services, nation states, or hackers for hire? The attackers were two teenagers from California and one teenager from Israel.