back to article IT plonker stuffed 'destructive' logic bomb into US Army servers in contract revenge attack

An IT contractor is facing a possible decade behind bars in America for planting a ticking "destructive" time bomb in US military systems. After a three-day trial this week, Mittesh Das, 48, of Atlanta, Georgia, was found guilty by a jury in North Carolina of knowingly transmitting malicious code with the intent of causing …

  1. Anonymous Coward
    Anonymous Coward

    not great timing.

    Wow after the Equifax hack and now the SEC hack probably not the best time to go before your peers accused of computer misuse. Don't drop the soap Mittesh. Probably should have pled down.

  2. Field Commander A9

    Fort Bragg

    For Bragging

    1. macjules Silver badge

      Re: Fort Bragg

      Isn't Fort Bragg home of Special Operations Command? Definitely the wrong people to delay pay checks for.

      1. Florida1920

        Re: Fort Bragg

        Isn't Fort Bragg home of Special Operations Command?

        The United States SOC is headquartered at MacDill Air Force Base in Florida.

        https://en.wikipedia.org/wiki/United_States_Special_Operations_Command

        Fort Bragg is the HQ for the US Army SOC, a different unit.

        https://en.wikipedia.org/wiki/United_States_Army_Special_Operations_Command

        Still, messing with military in any way is a guaranteed FAIL.

  3. Orv

    I feel like if there's any client you should know not to burn, it's the US military.

  4. Chozo
    Devil

    Purely out of academic interest for educational & research purposes,

    How would you folk hide a logic bomb?

    1. Field Commander A9
      Coat

      among logics of course!

    2. DNTP

      Step one: accept that logic bombing is unprofitable and you're going to get caught, then choose a target where the penalty for getting caught doesn't possibly include a trip to Guantanamo Bay.

      1. kain preacher

        Step one: accept that logic bombing is unprofitable and you're going to get caught, then choose a target where the penalty for getting caught doesn't possibly include bullet to the back of the head, cut brake lines , waking up in secret underground facility that very few folks know exist.

        TFIFY

        1. Alan Brown Silver badge

          There's a lot more than "just" shadowy military goverment operations that fit those descriptors - some of whom will quite happily extend the response to include your entire family, just to make a point

    3. Anonymous Coward
      Anonymous Coward

      How would you folk hide a logic bomb?

      Well I wouldn't make it obviously "fail" at anything for a start. Off the top of my head and given that this is a payroll system, I would introduce small but cumulatively significant errors into the payroll tax calculations. Once there is a significant discrepancy to work with, anonymously tip off the IRS (motto: "No dollar left behind.") and watch the resulting cage fight from a safe distance.

      1. a_yank_lurker Silver badge

        Re: How would you folk hide a logic bomb?

        Also, make sure enough time has elapsed that once triggered you are not an obvious suspect.

        1. Anonymous Coward
          Anonymous Coward

          Re: How would you folk hide a logic bomb?

          In my company anything logical would stick out like a lighthouse. The only way to hide it would be to make it illogical...

      2. Doctor Syntax Silver badge

        Re: How would you folk hide a logic bomb?

        Introduce a dependency on some 3rd party package which needs periodic renewal and not tell anyone the account numbers. Or just use Oracle & Microsoft products and then grass them up for a licence audit.

      3. Anonymous Coward
        Anonymous Coward

        Re: How would you folk hide a logic bomb?

        US military pay entitlements and gross-to-net calculations have been done centrally (for both active duty and reserve personnel) for nearly 40 years. Local payroll systems have been used to print earnings statements and issue checks (although for years payments have been by direct pay to bank with few exceptions if any). Locally operated, but mostly centrally maintained systems also may process data used to determine service member entitlements. For reserve personnel not on active duty, that would include data entry and validation for monthly weekend exercises, for example, and the locally operated software used would be the place to insert errors.

        Reservists are attentive to their pay and not hesitant to raise issues, including with their congressional representative, if it is incorrect or late. Representatives (or their staffs, which amounts to the same thing) are similarly attentive to service member complaints, and so are agencies deemed accountable, which in DoD are held to a ten day turnaround on "congressionals."

    4. Anonymous Coward
      Anonymous Coward

      Disguised as notepad.exe

      So if somebody would open the boobytrapped notepad.exe, it'll do two things :

      - check for administrative privileges, if not, start up the real notepad.exe

      - if administrative privileges exists, then it'll copy the logic bomb somewhere into the system, delete the trojanized notepad.exe and start the real notepad.exe up, with nobody the wiser - until the logic bomb activates itself.

      After all admins need to use notepad.exe sometime. Or ipconfig. Or any other windows app for that matter sometime.

      But I will never, ever do it, too risky.

      1. Adam 1

        > Disguised as notepad.exe

        Curiosity here, if you had admin privileges to replace notepad.exe, why not just copy the logic bomb at the same time?

        I think evil Adam1 would do it this way.

        1. Download CCleaner

        2. Run it

    5. alain williams Silver badge

      Where to hide a logic bomb?

      Unless you are of the mindset of a suicide bomber the most important thing is plausible deniability. Make it look like a logic error -- a bug.

      1. TRT Silver badge

        Re: Where to hide a logic bomb?

        In the wastebasket?

    6. Anonymous Coward
      Anonymous Coward

      Why does that sound familiar?

      Obviously, I'd have it skim off all the fractions of a penny that get rounded off on each transaction, and transfer the fractions to my account.

      1. Mr Dogshit

        Re: Why does that sound familiar?

        That does sound remarkably like the plot of the film "Office Space"

        1. Peter Kavanagh.
          Happy

          Re: Why does that sound familiar?

          Pryor art :

          https://en.wikipedia.org/wiki/Superman_III

          1. Alan Brown Silver badge

            Re: Why does that sound familiar?

            "Pryor art :"

            Which in itself was based on prior art, as something similar really did happen in the early 1970s.

            Since when did Hollywood _ever_ have an original idea?

    7. herman Silver badge

      Easy: Load it before SystemD starts logging.

    8. Boork!

      With the other bombs, of course. It is the military, after all.

  5. Greyeye

    cannot believe people as smart as a coder, think they can hide logic bomb in "ANY" code.

    1. Lysenko

      Not so hard in some languages. ({} + []) === ([] + {}) .... not in JS it doesn't, and if you can use PHP then the scope for "accidentally on purpose" logic and calculation bear traps is so huge there are entire websites dedicated to the resulting WTF'ery. As for a "detonator", the MM/DD/YYYY vs. DD/MM/YYYY (or ISO) date format discrepancy is almost purpose built for the task.

    2. Adam 1

      What about hiding it in gcc / msbuild.exe so it injects the payload (ie the Ken Thompson Hack)

  6. Notas Badoff

    Timing

    First rule of (logic) bomb is timing. Make the delay long enough to remove yourself from the blast radius. Like Russia. Or Burma.

  7. FrankAlphaXII

    Wow. Just wow. What a moron.

    Having been an Army Reservist (and Active Duty before that), this must have been the payroll system for Civilians that work at Army Reserve centers for the Army itself and maybe Unit Administrators when they're not called back to duty and militarized under Title 10 orders.

    And given most UAs are retired First Sergeants and Sergeants Major, what a stupid target to fuck with. I would not want every UA in the country hot after your ass for making them miss a paycheck. At the same time, these people can likely handle missing a paycheck whereas a Private up to Specialist/Corporal really can't unless they're living in the barracks and most of their pay is disposable income.

    Military pay for the actual servicemembers in an Army Reserve or Regular Army unit is (mis)handled by the Defense Financial and Accounting Service, which is an even dumber target to fuck with. The easiest way to wind up in prison if you have anything to do with the Department of Defense is to mess with Uncle Sam's money. They've even tossed the first commander of SEAL Team Six/DEVGRU into prison for misappropriating funds.

    That being said, I'm amazed that the Clowns in Disguise (CID for the uninitiated, they're usually pretty inept) figured it out, and it didn't take the 902d Counterintelligence and NSA/CSS to do it, unless it did and the CID's just getting the public credit for it. Which could be the case.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wow. Just wow. What a moron.

      "And given most UAs are retired First Sergeants and Sergeants Major, what a stupid target to fuck with. I would not want every UA in the country hot after your ass for making them miss a paycheck."

      Because these guys are going to come hunting the perpetrator down, Rambo style, right?

      I do enjoy these, "the army are the last people you want to fuck with", warnings.

      1. Chris G Silver badge

        Re: Wow. Just wow. What a moron.

        Seargeants and seargeants major may not come after you like Rambo but they really aren' t people you should fuck with because they won't quit trying to find you. They usually also carry enough weight to make sure you don't just become a cold case.

      2. Anonymous Coward
        Anonymous Coward

        Re: Wow. Just wow. What a moron.

        I do enjoy these, "the army are the last people you want to fuck with", warnings.

        Tell that to Saddam Hussein.

      3. a_yank_lurker Silver badge

        Re: Wow. Just wow. What a moron.

        @AC - They are the ones who know how the military actually works and were in may 20 to 30 years.

      4. StargateSg7

        Re: Wow. Just wow. What a moron.

        Either you're from the UK or you're NOT a native of North Carolina,

        or the Virginias, Texas Alabama, Georgia, Florida, etc!

        YOU pull a stunt like that down here and ABSOLUTELY NO IFS

        AND OR BUTS ABOUT IT you are gonna get a DEFINITE beat down

        and MULTIPLE 9mm, .357 or .45 slugs in your gut!

        EVERYONE carries guns down here!

        And YOU MESS with their paychecks

        and your are soooo much dead meat!

        Americans don't give a R*((*&*(&* A*(&*(& what the bobbies think!

        You mess with a family member's living and you are as good as -D-E-A-D-!!!

        Literally EVERY SINGLE DAY (sometimes 3 times a day!) in EVERY ONE

        of those states I listed above someone ends up shot dead or beat down

        reeeeeaaaal good for messing with a person's livelihood!

        In these states especially (and in Fort Bragg in particular!) the

        local yokels ABSOLUTELY WILL BE ON THE HUNT for said hacker

        and that hacker WILL BE SHOT ...AFTER... he gets a good beat down!

        He is sooooooo lucky the MP's (Military Police) and/or Feds (FBI) got to him first!

        I can very much assure you he would NOT be alive had he been caught by the locals!

        There's a heck of a lot of America that simply DOES NOT PUT UP WITH IDIOTS like this!

        They get -S-H-O-T- -D-E-A-D- --- In America we REALLY DO Shoot First and Ask Questions Later !!!!

        1. Jugernautilus

          Re: Wow. Just wow. What a moron.

          Yet he hasn't.

        2. Anonymous Coward
          Anonymous Coward

          Re: Wow. Just wow. What a moron.

          @StargateSg7 If you want to `uck with a payroll system, you pay the staff MORE than they're entitled to, but not hugely more. Just enough to, add up to a sum that overtime, the employer will need to claw back.

  8. Winkypop Silver badge
    Black Helicopters

    If you use logic correctly

    You wouldn't set a logic bomb...

  9. Anonymous Coward
    Anonymous Coward

    Slightly inflated cost estimate here?

    ... amounting to a total labor cost to the US Army of approximately $2.6 million.

    Let's say it took them a month to wipe and reload all systems the guy has ever touched. It should not have taken this long, but let's err on the generous side. At $130K p.a., this is 240 people doing the work, which seems like a slight overkill for a few dozen systems likely affected.

    Of course, it could have also been couple of pals of the base commander's son, who took a bargain-basement fixed-price contract to do the work ...

    1. Anonymous Coward
      Anonymous Coward

      Re: Slightly inflated cost estimate here?

      You are clearly thinking as a right minded techie not a government contractor.

      You would clearly need to procure new hardware and storage to perform your re-install on.

      There are probably fees to retrieve the backups, especially if they are historic.

      You need a few people to to the code review, but don't forget the account manager, project managers and "expenses".

      Add a bit of a fudge factor for the internal costs associated with writing letters and administering evidence gathering for a prosecution it does not sound so hard to justify (regardless of any resemblance to reality)

      1. defiler

        Re: Slightly inflated cost estimate here?

        Also you're forgetting the military markup - anything for the military costs at least 3x what it does on civvie street. Hell, sometimes it's even for good reasons, but I suspect this may be a case of "we're used to paying over the odds - shut up and take our (government) money!!"

        I'm sitting here wondering how a middle-aged man becomes so petty as to wilfully try to damage an ex-client's system. I mean, I'm no stranger to losing my exquisite cool over client stupidity, but I wouldn't even consider this. Especially if they've just changed suppliers at the end of a contract run.

        1. Mike Moyle

          Re: Slightly inflated cost estimate here?

          @ defiler -- You answered your own question:

          "I'm sitting here wondering how a middle-aged man becomes so petty as to wilfully try to damage an ex-client's system.

          "...you're forgetting the military markup - anything for the military costs at least 3x what it does on civvie street."

          Losing lots of easy money can make people do stupid things.

      2. rmason

        Re: Slightly inflated cost estimate here?

        You also haven't taken into account the fact they wouldn't have know what/how many things were effected, I imagine this triggered a deep look into and at *everything with a plug on it*.

        They will have been obliged, quite rightly, to check every switch,router,server,PC, SAN etc etc

        New hardware will have been purchased, work will have been round the clock, so overtime/high rates. Suppliers to gov entities also always charge though the nose. After all the hoops they jumped through to get contracts, they tend to gouge to recover costs.

        Tthen every single bit of software will have been checked out. The list goes on. It's the military, I doubt they just ran MBAM.exe on everything and called it a day.

    2. Maty

      Re: Slightly inflated cost estimate here?

      What you have here is what we used to call a 'logistics sink'.That's when a incident occurs which allows a military unit to write off stuff that has gone missing/been misappropriated, been broken, or just needs replacing.

      As a result a one-minute contact with the enemy can consume a truly amazing amount of equipment. I'd imagine this logic bomb presented the IT folks with a similar opportunity.

      1. I3N
        Coat

        Re: Slightly inflated cost estimate here?

        Funny, when Ken was driving us around London said that happened re:HMS Sheffield. Ken sited the form numbers. Even allowing for his Welsh, we nodded in agreement because the same was true for this side of the pond's Navy.

    3. Aodhhan

      Re: Slightly inflated cost estimate here?

      Actually, the cost isn't bad at all. It appears you don't have a lot of InfoSec experience.

      There is a lot more than just looking at code and restoring data involved in the costs.

      Don't forget about the investigation (including talking to people-- suspects/witnesses), forensics, network security experts, not to mention corrective actions, etc. There is also looking through all other systems this individual had access to, then going through all of them with a fine tooth comb.

      I can go on, but I'm sure you're starting to get the picture... there's a lot more than meets the eye.

  10. Anonymous South African Coward Silver badge

    Seems people never learn.

    The one that never get caught is the true BOFH. 'nuff zed.

  11. Pascal Monett Silver badge
    Thumb Down

    48 years old

    Stupid enough to plant malware, and abysmally stupid enough to have it trigger mere days after the handover.

    With that level of intellectual performance, I think that it's a good thing the Army changed provider.

  12. Pat Harkin

    "total labor cost to the US Army of approximately $2.6 million"

    $2,600,000? Really?

    Let's say they put 100 people on it.

    And paid them 100% overtime.

    For 100 hours.

    That's a base hourly rate of $130 per hour or $270,000pa.

    Where do I sign?

    1. ElReg!comments!Pierre

      Re: "total labor cost to the US Army of approximately $2.6 million"

      I am not one of the downvoters, and I had a long yet witty response typed when either ElReg or CloudFlare decided crapping themselves would be a good thing to do.

      Long story short, 700 000 bucks claimed against McKinnon, a slightly lost kid on the other side of the ocean trying a default remote desktop password and not disturbing anything, vs 2.6 mil claimed against an IT professionnal with physical access to "critical" systems and causing actual damage... the 2.6 mil claim doesn't seem the most overstated of the 2, to me.

    2. Anonymous Coward
      Anonymous Coward

      Re: "total labor cost to the US Army of approximately $2.6 million"

      ... that's ludicrously cheap for a forensics consultant to come in and do post-mortum.

      the last incident I was involved with, the one guy ran double that hourly rate easy. In-house staff did the bulk of the leg work, both raw discovery and remediation.

      anon for obvious reasons.

  13. Dabooka Silver badge

    Two fails

    1 - Timing; it's waaaaay too soon, as has been pointed out. Too obvious.

    2 - Instead of a logic bomb, he should have got all the spare cents from each pay roll run transactions etc and rolled them into a separate account. No one would EVER notice (unless he stupidly buys a Ferrari or somesuch) /Profit

    1. TRT Silver badge

      Re: Two fails

      I mean delaying the payroll is bound to get someone to notice soon. Far better to just add an extra dollar onto everyone's pay-packet that month. Then an extra two dollars the next month... And keep going. No-one is going to complain, and the wages bill next audit looks like the investment in the new contract was more costly than anyone anticipated.

    2. Jake Maverick

      Re: Two fails

      you just thinking of that Superman film....numero 3 was it? ;-) been long time, but token black guy/ Pryor did it.......

  14. Cardinal
    Holmes

    'A Grave Miscarriage of Justice'

    "Have you read 'The Times' this morning Holmes? That Das fellow in America seems to be getting his comeuppance for this army payroll thing eh?"

    "On the contrary Watson - the man is completely innocent, and a grave miscarriage of justice is afoot. Call a cab - we must get to the American Embassy immediately!"

    "Nonsense Holmes - look at this paragraph and just see the damage he has done!"

    <Prosecutors described Das's program as "progressively destructive," adding: "The damage had to be corrected through removal of the malicious code, restoration of all information and features, and a thorough review of the entire system to locate any further malicious code,>

    "Damage has indeed been done Watson - but not by Das - for observe, - the crime took place on THE SECOND TUESDAY OF THE MONTH!"

  15. Look! A big red button!

    Err

    The Criminal Investigation Command is known as CID?

    1. The First Dave

      Re: Err

      CI-A, CI-B, CI-C (and indeed CI-E) were all tasked with more important things at the time.

  16. Stevie Silver badge

    Bah!

    Interesting. This was being blamed on "legacy mainframe cobol systems" when it happened, during an attempt to merge the payroll systems of the army, navy and marine corps.

    What they needed was less shiny indian tech consultancy, more old cobol-speaking geezer.

  17. ElReg!comments!Pierre

    "crime in cyberspace" ????

    Appart from the obvious fact that no-one cool has used the term "cyberspace" in the past 3 decades, how is sabotaging a server "cyber"?

  18. Joe User

    Acronym?

    Is "Das" short for Dumbass"?

  19. Updraft102

    A "destructive" bomb, you say?

    Why, I have never heard of a bomb of that sort!

  20. Jake Maverick

    um, reasonable doubt anyone....?

    people who don't work in IT don't seem to get it, but it is extremely easy to frame people for these things....I mean really, if you were going to do something like this would you really use your own ID? or somebody else's...? and when you have access to the back end of systems you've effectively got access to everybody's ID....I find it very difficult to believe that somebody who is competent enough to do that job in the first place would do that in a way where it was trackable back to him....I suspect the same on that Litvinenko assassination as well, but morons blindly following the evidence.....there is no easier way to frame people. in the physical world u wd need to plant a cigarrette but, dna, fingerprints or something....much more difficult!

    even when you don't have that kind of access still very easy to plant something like, say kiddy porn or whatever on your managers PC.....tell his manager you saw him looking at kiddy porn on his computer, manager checks....he's fired and u get a promotion....how many times do u think that has happened?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021