Karl Schembri looks back at the past month in which the government’s central nervous system operated by MITTS was attacked, how the news was reported, and how Minister Austin Gatt dealt with it
4 September – Alert at MITTS headquarters
At around 10am, technical operators at the Network Operations Centre (NOC) at Gattard House in Blata l-Bajda, notice that one of the data servers containing all the usernames and passwords of over 20,000 MITTS clients is manifesting performance problems.
By 5pm, the technicians establish that the server is operating an unauthorised programme that was intended to illegally extract all the usernames and passwords on the server and transmit them elsewhere.
NOC administrator informs the executive management of the investigations.
5 September – MITTS believes no passwords are stolen
MITTS Chief Executive Alex Attard appoints MITTS officials of the Information Security and Risk Management Department (ISRM) under Mario Spiteri – who also serve on the National Information Security Authority – to take control of the internal investigation into the incident.
ISRM starts immediate investigations while the executive management starts the process of interviewing NOC employees to establish the involvement of staff on duty on the day of the incident.
It emerges that a similar programme to the one executed on 4 September was also executed on 2 and 3 September on the same server. In the three cases, it was found that the username and password of one of the MITTS team leaders who formed part of NOC, and who had administrator rights on the server, were used to access the server involved in the incident.
MITTS Chairman Claudio Grech is informed late at night by ISRM and NOC technical operators that there was a “great probability that no extraction had taken place”.
6 September – Cairo and Mater Dei involved, police informed
ISRM finds copies of the programme on two other computers: one on the server of the Maltese Embassy in Cairo and the other on a computer at the Mater Dei Hospital. The Mater Dei computer is elevated by ISRM, which according to Gatt “was also found to have hidden inside a number of CDs with software that was similar to that found operating on the server”.
According to the technical operators, the programme used on 2 and 3 September was incompatible with the information structure of the attacked server, while on 4 September the process had been stopped by the NOC technicians.
“In all cases, the software used was one that can be downloaded for free from the internet and is easily installed and operated – therefore there was no particular sophistication. These conclusions obviously laid everyone’s mind at rest”, Gatt told Parliament.
As a result of its preliminary investigations, the executive management expressed its suspicions about two NOC employees, who together with the team leader were immediately put on forced leave.
ISRM report the case for the first time to the police.
7 September – Austin Gatt informed, password theft ‘unlikely’
The minister is informed of the investigations by MITTS Chairman Claudio Grech, who also opines that it was “highly unlikely” that any information had been stolen. Police start their own investigations.
10 September – MITTS board imposes password change
MITTS Board of Directors called for an extraordinary meeting, in which the management presents the facts it had gathered. The management reiterates its belief that the extraction of usernames and passwords was highly unlikely. The board, however, still decides on imposing a forced password change to all the MITTS users.
11 September – Password change enforced
All the 20,000 MITTS clients forced to change their passwords.
17 September – Another computer involved
The board of directors is convened again and briefed further by the executive management. Executive management insists again that there is no evidence of a successful extraction of usernames and passwords. In the same meeting, a police officer explains that the police are far from reaching a hypothesis into the case and that they are excluding nothing. The directors are also informed that the team leader admitted to the police that he had communicated his password to another MITTS employee by telephone in the vicinity of other people. He claimed he did this to solve a technical problem, and that he had not changed his password since.
On the same day, the same programme is found on a computer of yet another MITTS employee, while the analysis of more logs reveals that the computer of another employee had pinged aggressively the same server involved in the incident.
24 September – MITTS realises ‘passwords could have been stolen’
The board of directors are told by the executive management, for the first time, that the extraction of information on 4 September could have been successful, after all. In view of this sensational change, the board of directors gives the executive management two days to analyse all the facts and present its final opinion.
26 September – MITTS concludes ‘passwords have been stolen’
The board is informed by the executive management that it was assuming that the extraction of usernames and passwords had been successful. The board decides that the team leader and the employee whose computer was found to contain the programme would be suspended without pay. The other employees to be kept on forced leave. The public official whose computer at Mater Dei was found to have the programme is put on leave on half-pay.
The board of directors remarks that “in the most clear of ways”, MITTS had a number of deficiencies that it had to tackle most urgently. The board agrees to engage an international company specialised in information security to analyse all the information collected by ISRM and the executive management with the aim of establishing with certainty whether the extraction had taken place.
4 October – Foreign help
Two experts from the contracted American company arrive in Malta.
8 October – Password theft confirmed, attack from Cairo
The experts’ report is presented to the board of directors, confirming that the password extraction had taken place successfully on 4 September, and that there was a high probability that the attack originated from the Maltese Embassy in Cairo. The computer at the embassy is found to be infected by a malware that was permitting the connection between the government network and the internet. The experts recommend that the embassy’s system be cut off from the government network and that a copy of the hard disks held in Cairo be passed on for analysis.
The police reached the same conclusions regarding the origin of the attack from Cairo and elevate all the material for investigations.
The MITTS board commissions an external review team to analyse all the circumstances leading to this incident and to list recommendations.
All members on the board of directors offered their resignation, which is rejected by Austin Gatt.
“The board took all the right steps consistent with the information that it was given by the management when it was informed about the problem,” Gatt told Parliament, defending his decision. “It was the board itself that insisted on the forced password change even though the management told it that password theft had been highly unlikely.”
The news behind the news
13 September – News breaks out: Police probe MITTS breach
The di-ve.com news website breaks out the story under the headline, ‘Police probe MITTS breach’. Journalist Paul Cachia reports that three MITTS employees were suspended from work after being questioned by the police in investigations into “a serious breach of internal policies and procedures”.
The report carries an official statement from Gatt’s ministry, which says nothing about theft of passwords. The statement said: “On Sunday, 7 September, 2008 Malta Information Technology and Training Services Ltd (MITTS) submitted a formal request for assistance to the Commissioner of Police to investigate suspected breach of internal policies and procedures by one or more technical members of its staff. Members of the Police were briefed about the situation by the management team.
“The Police interviewed a number of MITTS employees to help them in their investigation.
“As a result of the police investigations, MITTS has placed three persons on forced leave until further notice. The matter is still being investigated by the Police and assisted by the MITTS executive management who are not aware of further developments to date”.
14 September – KullĦadd repeats story
Labour newspaper KullĦadd reports about the MITTS staff under investigation, referring to di-ve.com’s story.
21 September – First mention of stolen passwords
Di-ve.com reports that passwords of ministers, MPs, the prime minister, police, AFM and the Attorney General were among those “hacked” by three MITTS employees.
KullĦadd reports in more detail, stating that all the email passwords of clients on the gov.mt server had been ‘leaked’. The newspaper reports that government was “doing its utmost to keep this serious case secret”.
The report adds that the MITTS staff under investigation belonged to the Service Management Department, although police were also looking elsewhere.
23 September – Gatt’s reaction: ‘A pack of lies’
Austin Gatt issues a press release referring to the KullHadd story, calling it “a pack of lies”. While confirming that an investigation was ongoing, Gatt that “any comment prior to the conclusion of the said investigation is uncalled for and possibly prejudicial to the investigation”.
“The only statement that needs be made at this time is that the allegations being carried in the Labour Party newspapers are a ‘pack of lies’,” Gatt said.
27 September – Dar Malta bugged?
Labour news portal Maltastar.com reports that the server at Dar Malta in Brussels had been hacked. According to the report, secret service agents and MITTS employees had been dispatched to Brussels after “sensitive documents and folders of the permanent representation were spread all over the city, including other permanent representations”. The story alleged that the secret service agents were alerted to the possibility of “bugging”, besides hacking, in Dar Malta. The story is repeated the next day in Maltese on KullĦadd.
29 September – MLP’s call for House debate rejected
Labour’s interim Opposition Leader, Charles Mangion, proposes a motion for Parliament to discuss urgently the reports surrounding the MITTS investigation, as a matter of national security. Mangion also referred to an alleged report filed months earlier by a major bank, claiming that it had been hacked through MITTS. House Speaker Louis Galea however turns down the motion, stating that although it was “worrying”, it was not an urgent matter.
1 October – Labour MPs’ emails could have been hacked
MaltaToday Midweek reports senior Labour officials’ statements that email accounts belonging to Alfred Sant, George Vella and Anglu Farrugia as having been targeted by MITTS personnel. Acting Opposition leader Charles Mangion tells MaltaToday that he did not exclude a political motivation behind the ‘illegal’ access to the email accounts.
He says that he personally refused to use government email accounts.
“When MITTS wanted to install their email account they asked me for my server. You can now understand why I refused to accede to their request,” he said.
On the same day, Austin Gatt adds MaltaToday under the accusation that its story was “a pack of lies”.
“The story on MaltaToday which gives the impression that the on-going police investigation on MITTS is about hacking into the email accounts of members of the Opposition is a pack of lies. Neither MITTS nor the Ministry have ever had any inkling of sort of allegation contained in the story and if MaltaToday or the quoted “senior Labour Party officials” have any facts at hand they are in duty bound to immediately pass them on to the police.”
6 October – Gatt: Police Commissioner told me ‘no’
Austin Gatt publishes the opinion of Police Commissioner John Rizzo that any comments he would make on the case would compromise police investigations. This leads Gatt to conclude that “until the investigations are concluded, despite the criticism and unfounded speculation by the Opposition and by a section of the media, the Government deems that any further comments are uncalled for.”
8 October – Sant reiterates hacking claim in Parliament
Former Labour Leader Alfred Sant voices his concerns in Parliament about his suspicions that his email had been unlawfully accessed, reiterating the story as told to MaltaToday by other senior party officials and rubbished by Gatt as “a pack of lies”. Sant tells Parliament that in September, he had informed the Clerk of the House that he could not access his email. MITTS had asked him to change his password without providing any explanations. Sant says he had expected MITTS to tell him if anyone had accessed his emails over the last two years, but no information was forthcoming. He accuses government of hiding information and calls the Police Commissioner ploy “unacceptable”.
10 October – MITTS Chairman dismisses hacking
MITTS Chairman Claudio Grech informs Alfred Sant that investigations into the alleged hacking of government email accounts did not indicate that any MPs’ accounts had been accessed. Grech says the suspects were not being held on suspicion of accessing or interfering with email accounts.
12 October – Sant repeats hacking fears: ‘It has gone on for two years’
Alfred Sant reiterates his belief that the alleged hacking of his government email account has been ongoing for two years, in a comment to MaltaToday. “If investigations are proceeding, these too would make my e-correspondence liable to further monitoring by new sets of ‘eyes’,” Sant says. “I should know about the extent of investigation by whoever is conducting the latter on my past/present email, as well as my correspondents. This in order to enable me to take all relevant steps to protect my rights and interests, as well as those of people who sought to correspond with me. … I am not in the business of making allegations up in the air… If (the hacking allegations) true, apart from the illegality of it, this would clearly impact on the integrity of my work and functions, past and present. My privacy, my rights, including those of a fundamental nature, and the associated rights and interests of my correspondents are equally on the line.”
14 October – Gatt spills the beans: 20,000 passwords stolen
Gatt finally makes a statement in Parliament, admitting that over 20,000 email passwords had been stolen from the government server.
PRINT THIS ARTICLE
