Three months after the Department of State acknowledged that hackers breached its unclassified email system, government cybersecurity investigators still haven’t been able “to evict them from the department’s network, according to three people familiar with the investigation,” the Wall Street Journal reported Thursday.
The newspaper said that despite the efforts of federal cyber sleuths, outside contractors and the National Security Agency who have repeatedly scanned the State Department’s network and taken some systems offline, “investigators still see signs of the hackers on State Department computers … Each time investigators find a hacker tool and block it … the intruders tweak it slightly to attemptto sneak past defenses,” the newspaper reported.
It hasn’t been disclosed just how much data the hackers have purloined, but unclassified emails and accompanying materials such as attached reports, etc. can still contain sensitive intelligence and other information the State Department would rather not be made public.
Senior counterintelligence and other intelligence officials told Homeland Security Today on background that “a great deal of insight can be gleaned from [the] compromised emails, including following the email threads and identifying other individuals’ emails the hackers might want also want to take a look at,” one of the officials said.
Continuing, the official said the hackers still lurking in the State Department’s network also “might be able to identify [through references] to important activities, reports, intelligence and what not, even though these are notclassified emails. Why, because these are internal emails containing all sorts of correspondence between department officials and personnel.”
“There is the potential that sensitive but not formally classified information is contained in these emails that, from an espionage or foreign policy context, could be extremely valuable – even embarrassing,” another official agreed.
“Given the size and complexity of the State Department, the task at hand becomes even more challenging,” said Darren Hayes, a leading expert in computer forensics and security who has been a consultant on legal cases involving digital evidence. Hayes is assistant professor and director of cybersecurity at Pace University’s Seidenberg School of Computer Science and Information Systems in New York.
“Many successful breaches today are initiated by an employee clicking on a link in an email. Think about how difficult it must be to prevent employees doing this in an organization with thousands of workers,” Hayes said, adding, “The use of unofficial hacker groups by the Russian government is nothing new, and cyber warfare is often the weapon of choice. It is perhaps no coincidence that this breach occurred when US-Russian relations are at an all-time low with broader sanctions looming.”
“When an organization is hacked — especially by a more sophisticated state-sponsored group — it is problematic to determine when their network was breached and the scope of that breach. Moreover, it may take months for an organization to purge themselves of that compromise,” Hayes explained.
“The disclosure that the State Department can’t easily remove a recent malware infestation is an object lesson for all organizations as they scale up – size is a serious problem. Ask any public health official – to quarantine one house is easy enough, but to root out a disease across a city is far harder," said Dr. Mike Lloyd, CTO at RedSeal, a security analytics company.
"The Department of State has special pressures, since embassies operate in almost every country in the world, but any large company suffers similar problems. Many modern attacks start by fooling a human – well-crafted phishing attacks are the new normal. But compromising one laptop doesn’t generally get the attacker what they want, so they move laterally, looking for a solid hand-hold beyond the initial toe-hold," Lloyd said.
"In fast-moving, modern infrastructure," Lloyd continued, "there is always a weakest server for them to find, and attackers can search for whatever is maintained the least well. This fan-out creates real headaches for defenders, even after a breach is confirmed. The only practical response is to map out weaknesses ahead of a breach – to know where the pockets of infection are likely to be, so that you can efficiently root them out.”