Hackers Breach White House NetworkAttack on Unclassified Network Leads to Outages
Hackers have breached an unclassified network used by the White House.
See Also: 2016 Social Engineering Report
The White House - known internally as the Executive Office of the President, or EOP - regularly comes under attack from hackers. But this cyber-attack appears to have been more sustained and successful than most, based on the resulting impact. In recent weeks, defending against the attack and mitigating the related breach have resulted in sustained network disruptions or outages, according to an internal e-mail sent to White House staffers, which was published by Huffington Post.
U.S. officials first learned of the network intrusion from an ally, The Washington Post reports. The breach, which was discovered in the past two or three weeks, resulted in intranet and VPN access being deactivated for some periods of time, although the e-mail system has remained active, according to the report.
White House Confirmation
The White House has confirmed the breach, saying in a statement released Oct. 28 that it "identified activity of concern on the unclassified EOP network."
But the White House has declined to comment on who may have launched the attacks. Unnamed U.S. officials told The Washington Post that they suspect the hackers have Russian ties. That observation, however, appears to be based, at least in part, on the White House being a natural target for state-sponsored attack. Multiple security experts have cautioned that in the absence of additional information - or evidence - any conclusions about the identity of the attackers are pure conjecture.
The White House also has declined to discuss what types of information might have been obtained by attackers. "Certainly a variety of actors find our networks attractive targets and seek access to sensitive government information," a White House official says in a statement. "We are still assessing the activity of concern, and we are not in a position to provide any additional details at this time."
The intrusion is being investigated by the FBI, Secret Service and National Security Agency, The Washington Post reports.
Because the attack wasn't immediately discovered, attackers may have had time to study the network and use it as a springboard for targeting other networks or systems. "The interesting thing is that it seems to have been infiltrated for a little bit of time. So that's where you wonder, where could it have gone from there?" University of Surrey computing professor Alan Woodward tells Information Security Media Group. For example, while unclassified and classified U.S. government networks are separated by an air gap, attackers might have tried to install malware onto a system connected to the unclassified, Internet-connected network, and then used it to remotely activate and monitor any connected webcams or microphones and eavesdrop on conversations.
Online attacks that target the White House networks are quite common. "The Executive Office of the President receives alerts concerning numerous possible cyber threats on a daily basis," according to the internal e-mail sent to White House staffers. "We take each of these threats very seriously, and we regularly evaluate our security measures and take action to defend our networks and mitigate those threats."
Furthermore, because the White House network that was breached was Internet-connected, it would be almost impossible to block every related attack. "In some ways, it's not much of a biggie that this network was infiltrated, because it was quite deliberately not secure," says Woodward, who's also a cybersecurity adviser to Europol. "That doesn't mean it's insecure; it just means that it's not handling classified information. And they keep an air gap between that and the secure network. ... [But] I wouldn't be at all surprised if someone was using the non-secure network as an attack vector to try and get to the secure one."
Breach Mitigation: In Progress
The White House is continuing to mitigate this breach. "Our actions are ongoing, and some have resulted in some temporary outages and loss of connectivity for our users," according to the internal White House e-mail.
Those outages have resulted from White House information security staff continuing to battle the intrusion, as well as upgrading defenses. "Our computers and systems have not been damaged, though some elements of the unclassified network have been affected," the internal e-mail reads. "The temporary outages and loss of connectivity that users have been experiencing is solely the result of measures we have taken to defend our networks."
The White House is likely adding additional security controls and monitoring, says Dublin-based information security consultant Brian Honan, who heads Ireland's computer emergency response team. "The key step in any breach is to identify the root cause of the breach and how the attack happened. Once this is done, then steps should be taken to ensure that path cannot be used again by the attackers, or indeed any other attackers," he says. "The next step would be to do a complete review and identify what other measures could be put in place, these could range from improved security awareness training, to implementing additional technical security controls, to improving the security monitoring of the network."
But monitoring has its limits, which is why many government and military agencies don't store sensitive information on Internet-connected systems or networks. "There's only so much that monitoring can do," says Sean Sullivan, a security advisor for Finnish endpoint security firm F-Secure. "Which is why there are isolated classified and Internet connected unclassified networks."
Potential Attackers: Numerous
Security experts say it's too early to tell, for certain, who was responsible for the breach.
"Without any explanation as to what the attack was and the relevant technical details, it is pure speculation to point the fingers at any one nation or even to state it was state-sponsored," Honan says. "The attack could range from an infection by a common computer virus to state-sponsored-level attacks."
Furthermore, any relatively sophisticated group of attackers could be behind the exploit, University of Surrey's Woodward says. "The White House is a very juicy target, and as to who it might be, take your pick," he says. "They're forming in a not-so-orderly queue, I would have thought."
Indeed, numerous nations might want to access information being stored on White House systems. "China was the suspect years ago when the McCain and Obama campaign networks were compromised. The suggested motive was to gain early intelligence on foreign policy position papers," F-Secure's Sullivan says.
Russia, of course, could also have benefited from such an attack. "Given the current political situation with Russia - it seems completely plausible that Russian and/or friends of Russia would be seeking insider information being prepared for the press and public," he says. "Russian security is at this point heavily dependent on its economy and any advance notification of economic action helps Russia prepare a counter-action."
Operation Buckshot Yankee
If Russia was involved, this wouldn't be the first time that attackers with suspected Russian ties had infiltrated a White House network. One of the worst such breaches - at least that have been declassified and detailed publicly - occurred in 2008, when attackers managed to sneak malicious code onto a network operated by U.S. Central Command. Officials said the infection had been introduced via a removable USB drive, dropped in a Department of Defense parking lot by a foreign agent, which a staffer duly picked up plugged into a system connected to the military's central command's IT network.
Mitigating the resulting breach - the project was evocatively named Operation Buckshot Yankee - required 14 months. But the episode also resulted in the creation of the U.S. Cyber Command (see Military Stands Up CYBERCOM as Its Latest Command).