Attackers allegedly used SQL injection to get into U.S. government computers


Here’s a twist on stories of U.S. agencies spying on the Internet and phone services around the world: British authorities have arrested a man there for being part of a conspiracy that allegedly breached thousands of computer systems in the United States and elsewhere – including the computer networks of federal agencies –  through SQL injection attacks to steal massive quantities of confidential data over the last 12 months.

The move came after federal authorities in New Jersey filed an indictment before a grand jury charging Lauri Love, 28, of Stradishall, England with one count of accessing a U.S. department or agency computer without authorization and one count of conspiring to access the computer.

An investigation led by the U.S. Army Criminal Investigation Command-Computer Crime Investigative Unit and the FBI in Newark revealed that Love allegedly illegally infiltrated U.S. government computer systems – including those of the U.S. Army, U.S. Missile Defense Agency, Environmental Protection Agency and National Aeronautics and Space Administration – resulting in millions of dollars in losses, the U.S. attorney’s office for the district of New Jersey said in a news release.

Love was arrested at his residence last Friday.

Between October 2012 and October 2013, Love and fellow conspirators sought out and hacked into thousands of computer systems, the news release said. Once inside the compromised networks, Love and his conspirators allegedly placed hidden “shells” or “back doors” within the networks, which allowed them to return to the compromised computer systems at a later date and steal confidential data. The stolen data included the personally identifying information of thousands of individuals, some of whom were military servicemen and servicewomen, as well as other nonpublic material.

In addition to using SQL injection attacks, the conspirators allegedly used vulnerabilities in  the Adobe ColdFusion Web application platform.

The news release doesn’t detail exactly how authorities got on to the alleged conspirators, but it does say people planned and executed the attacks in secure Internet relay chats. “They communicated in these chats about identifying and locating computer networks vulnerable to cyber attacks and gaining access to and stealing massive amounts of data from those networks,” the news release says. “They also discussed the object of the conspiracy, which was to hack into the computer networks of the government victims and steal large quantities of non-public data, including PII (personal identifying information), to disrupt the operations and infrastructure of the United States government.”

If convicted, Love faces a maximum potential penalty of five years in prison and a $250,000 fine, or twice the gross gain or loss from the offense, on each of the two counts with which he is charged.


  1. The vulnerabilitieslies have less to do with ColdFusion and more to do with the unskilled developers hired to build the sites in question. Regardless of what platform is used, a bad programmer will always leave vulnerabilities and a good one will close as many as he can. ColdFusion is a great web platform, has been around for a long time and is well evolved. It’s unfair to blame this on a ColdFusion vulnerability.


Please enter your comment!
Please enter your name here