State Department, White House Hacks Linked
But Officials Mum on Most Details of State Department BreachThe hack of the State Department's unclassified systems, revealed over the weekend, and a similar incident involving the White House network, unveiled last month, are linked, an official says.
See Also: Gartner Market Guide for DFIR Retainer Services
"We believe that this activity was linked to the incidents connected to the Executive Office of the President a few weeks ago," Jeff Rathke, a State Department spokesman, said during a Sept. 17 press briefing. Asked if other government agencies' systems might have been breached in the same way, he replied: "I don't have a broader conclusion to draw than that at this time."
The State Department shuttered its unclassified e-mail system over the weekend as a result of the hack (see State Department Shutters E-mail System). At a briefing on Nov. 18, Rathke said the unclassified e-mail system had been restored, as had BlackBerry service. He said department employees still could not access the Internet from the unclassified system, but added it was expected to be restored shortly.
A day earlier, at the Nov. 17 briefing, Rathke wouldn't discuss why he believes the State Department and White House breaches are linked (see Hackers Breach White House Network). He also wouldn't provide specific information on the timing of the breaches and how they happened.Excerpt from Jeff Rathke briefing on the State Department breach.
"We became aware of this intrusion a few weeks ago and we began working immediately with other agencies (he specifically named the Department of Homeland Security) in order to come up with a plan to mitigate it, but I'm not going to get into any further details," he said.
Earlier news reports, citing unnamed government sources, said that hackers with Russian ties might be behind the White House breach. Other reports speculate that the recent hacks of the IT systems of the U.S. Postal Service and the National Oceanic and Atmospheric Administration may have originated in China (see Was VPN Used to Hack Postal Service? and NOAA Reveals Four Websites Compromised). Rathke refused to discuss who might be behind the State Department breach or even acknowledge whether the breach was sponsored by another nation.
Attribution 'Quite Straight-Forward'
But Robert Bigman, the former CISO of the Central Intelligence Agency, says he believes the government knows who breached the IT systems. "It is actually quite straight-forward since they largely make no or few attempts to disguise attribution," he says of the intruders. "Understand that, to date, there have been absolutely no penalty paid for committing cyber-espionage.
"These are classic cyber-espionage operations by China or Russia trying to both obtain access to unclassified but official or restricted information and exploit these systems to determine if they can get access to other systems, especially classified systems."
Josh Cannell, malware intelligence analyst at Malwarebytes Labs, the research arm of the anti-malware company, says hackers seek weak area in networks to expose, using them to collect data and act as a vantage point into other networks.
"While the affected system was unclassified, this doesn't mean that sensitive data cannot be obtained from these systems," Cannell says. "Unclassified systems still contain information that hackers can use. The e-mail addresses themselves are valuable, for instance, as they could later be used in a spear phishing attack that possibly reopens doors for attackers. What's more, data spills can and sometimes occur on these networks, intentionally or unintentionally passing classified information through unclassified channels."
Bigman, now an IT security consultant, contends that the breaches hitting various government agencies are not coincidental, but part of a broader pattern by America's adversaries to cull intelligence from government computers. "All of these attacks are directed at collecting information on people, and perhaps their clearances, intellectual property and/or other useful intelligence," he says.
What are the hackers after? According to Bigman, the State Department systems contain considerable sensitive unclassified information on, for instance, policy issues and positions. The Postal Service's systems contains names of U.S. government employees and how to reach them. The NOAA systems contains information on the science of forecasting weather.
Congressional Inquiry
The State Department breach caught the attention of the ranking member of the House Oversight and Government Reform Committee, who sent a letter on Nov. 17 to Secretary of State John Kerry seeking details about the incident. "The State Department's knowledge, information and experience in combating data breaches will be helpful as Congress examines federal cybersecurity laws and any necessary improvement to protect sensitive consumer and government financial information," wrote Rep. Elijah Cummings, D-Md.
Cummings asked Kerry to provide an account of the cyber-attack, the types of data breached, the number of employees affected, the findings from a forensic investigative analyses, a description of data security policies that govern relationships with vendors and recommendations to improve cybersecurity law.
Weaknesses Revealed
Recent government studies showed weaknesses in State Department IT security. In its annual report to Congress last May, the State Department performed poorly on its compliance with the Federal Information Security Management Act, the law that governs federal government IT security. OMB gave the department a score of 51 percent for fiscal 2013, down from 53 percent a year earlier. The average score for all major federal agencies for both years was 76 percent, with six agencies receiving scores of 91 percent or more.
In January, State Department Inspector General Steve Linick questioned the integrity of the department's information security program, saying it was at significant risk because of recurring weaknesses the agency has failed to address.
"Although the chief information officer has verbally articulated his ideas for risk management and continuous monitoring, no documented strategy for either exists," Linick said in January. "The absence of such formal documentation, and its concomitant acceptance by department management, can heighten the department's vulnerability to internal and external information security threats."
The State Department has not provided an official to discuss its cybersecurity and the recent breach. But in January State Department Comptroller James Millette said the department's security officials "respectfully disagree" on the level of severity the IG maintained these weaknesses collectively represent. Nevertheless, Millette said the department was committed to addressing the problems the audit points out.