The attack on the server provoked 17 days of delay in payment to US Army Reserves
A judge in the United States sentenced a man from Atlanta to two years in prison followed by three years’ probation under supervision for sabotaging one of the US Army’s payroll databases with a “logical bomb”. According to reports of specialists in ethical hacking, the sentence of this person is related to an incident that occurred in November 2014 and that affected the US Army Regional Level Application Software (RLAS).
According to judicial documents, Mittesh Das, a 49-year-old male based in Atlanta, Georgia, worked for a company hired by the United States Army to manage one of the databases that are part of the RLAS system throughout the country. The external company hired Das to work on its RLAS maintenance contract since 2012 due to its extensive experience in systems.
However, two years after they won the RLAS contract, this company was unable to obtain an extension and was the delivery of the RLAS database management tasks was assigned to another contractor in November 2014.
According to researchers in ethical hacking, Das was annoyed by losing the contract and, sometime before the enterprise change he injected malicious code into the RLAS database, which would run days after the new company took control to destroy the locally stored records.
This code, which the investigators identified as a logic bomb, began to be executed on November 24th, the date the new company began the RLAS management tasks. The US Army Criminal Investigation Command, the investigating authority, said the malicious code erased data from five servers associated with the RLAS systems stored in Fort Bragg, NC.
Subsequently, the army eliminated the code from the logic bomb of its systems and restored all the data, but by then the incident had already brought consequences. To begin with, the army had to assume a cost of $2.6M USD for research and audit in their systems, carried out by specialists in ethical hacking.
In addition, more than 200k army reservists had to wait for weeks to receive their salaries, as the affected servers are responsible for managing payroll data, resulting in delays of up to 17 days in payments for reservists.
Finally, the operations of the Army reserves were also affected because the orders to mobilize soldiers are also handled through the same systems affected by the logical bomb. This prevented the army from being able to mobilize any soldiers for the simulation scheduled for December 2014.
According to specialists in ethical hacking from the International Institute of Cyber Security, the authorities accused and detained Das in April 2016, and later pleaded guilty in September 2017. In addition to the two-year prison sentence and the three-year probation, Das will also have to pay $1.5M USD in return for the damage caused by his attack.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.