It seems the US State Department systems are suffering from an ongoing security problem, with government officials unable to root out infiltrators three months after the initial break-in, despite their best efforts to block and wipe the intrusion.
Back in October, the US State Department confirmed it had been forced to disable an entire unclassified email system after being breached. Now months later, in what investigators claim is one of the most serious breaches of US government agencies, it’s been revealed that the same hackers lay in wait before gaining access to unclassified, although highly sensitive, parts of the White House email system, and even the President’s private schedule.
> See also: 2015: the year of cyber security action, not words
According to a report by CNN, White House officials are pointing the fingers at the same Russian hackers, after investigators assessed the malware used by the attackers and their methods.
As many enterprise IT teams know too well, once hackers get into a computer system, it can be notoriously difficult to get them out. In many cases, the network and internal security controls themselves inadvertently allow hackers to move around on the network without being noticed.
As Dwayne Malancon, CTO of cyber security firm Tripwire explains, the biggest mistake an IT team can make when facing an intrusion is taking an outwardly-focused security approach. While a lack of network segmentation, or compromised credentials could have been the initial weak point in the system, the problem was confounded in the months after the attack.
‘If you assume the enemy is ‘out there’ you stop noticing their activities when they get ‘in here,’ says Malancon. ‘Additionally, many organisations lack a baseline understanding of what is ‘normal’ on their internal network and systems, making it difficult to tell which systems you can trust, which systems you can’t, and – more importantly – how to stop the attack and prevent future compromises.’
As portions of the network were shut down for long periods of time for extensive security upgrades, many speculated that the extent of the intrusion may have been more severe than originally thought.
Although the breach was remediated and the State Department has said its taken a number of steps to increase its security posture, that the attackers were able to use that initial intrusion as a spearhead to gain access to the White House network is rather alarming to security experts such as Tripwire senior security analyst Ken Westin.
‘This is a good example of ‘it is not a matter of if but when,’ but where we now must now also ask ‘for how long and how deep’ a breach has occurred, as it is being revealed the hackers had access potentially for months even after initial detection and remediation attempts,’ says Westin. ‘The governments and businesses should take note that even networks we would expect to be impenetrable are still able to be compromised.’
> See also: Why nation-state cyber warfare should be keeping you up at night
As for the claims by the government of Russian spies being behind the attack, Westin is sceptical. New insights into the investigation with the US government implicating Russia would imply that there is strong evidence that the Russian government was involved, since the hacks follow US imposed sanctions on Russia over its actions in Ukraine, leading to the annexation of Crimea early last year.
But given the sensitive and confidential nature of US intelligence agencies methods, only a few will have access to the actual evidence – which may raise suspicions as to the accuracy and veracity of the accusation.
‘A savvy attacker can not only cover their tracks, they can often mislead you into believing someone else is behind the attacks,’ says Westin. ‘I do not think it is a coincidence that this comes on the heels of Obama declaring a national emergency and issuing an executive order regarding cyberthreats. Those investigating this intrusion may have additional evidence that implicates a specific group, and the executive order may be used to go after those deemed responsible with sanctions and other tools at their disposal.’