So the U.S. government has been getting fairly hammered lately with breaches/attacks hitting the White House, USPS (Postal Service) and NOAA.
The latest victim of this onslaught has been the State Department, which had to totally shut down their email systems on November 14th after discovering various ‘areas of concern’.
I wonder who’s going to fall next after this? This seems to be a fairly sustained and systematic attack, perhaps from the same perpetrators (or ‘actors’ if I was to use the new trendy infosec language).
Over the course of the last several weeks, a number of high-profile U.S. federal networks have been breached by attackers. The latest organization to be breached is the U.S. State Department, which had to take its email system offline.
The breach at the State Department follows attacks against the White House, the United States Postal Service (USPS) and the National Oceanic and Atmospheric Administration (NOAA).
The Associated Press, which broke the story on the State Department hack on Nov. 16, indicated that the entire unclassified email system was potentially at risk. The actual State Department email shutdown occurred late Friday, Nov. 14, as areas of concern about the email system were discovered.
Currently, there is no official attribution for the source of the State Department email incident. In the NOAA and White House incidents, reports have alleged that nation-state actors from China and Russia were involved.
Bob Stratton, managing partner at cyber-security accelerator Mach37, told eWEEK that he was somewhat surprised at the State Department disclosure. In general, his view is that the State Department’s discussion of this attack is a constructive development.
“While perfect security is a laudable goal, users of information technology are coming to realize that these events occur even in the face of diligent effort,” Stratton said. “There is some value in not immediately assuming that IT operations and security organizations are incompetent so much as that they are enduring a continuing, innovative, determined stream of network attacks.”
Blame it on Russia or China right? That seems to be the standard answer when it comes to things like this. It is good to see it was announced though and not swept under the carpet like it usually is. It’ll be interesting to see if we get any actual meaty details though (like how the attackers got in, what kind of information was leaked, how they fixed the issues etc.).
But honestly, I don’t see that kind of openness happening any time soon. It would be nice though right?
At this point, Stratton added, he’s more curious about how quickly and effectively a breached agency or company can do damage assessment, and how long it takes for them to perform remediation of the breach with confidence that it was done effectively.
In the State Department incident, the email system was the target, which makes sense considering what sort of information might be present.
“An email system contains not only information regarding users in the directory services, but also a wealth of information in the emails themselves,” John Fitzgerald, CTO North America at Wave Systems, told eWEEK. “So if an attacker is able to gain access to internal data repositories—databases, email systems and file stores—a great amount of direct and indirect information can be gathered.”
There is no question that the use of email as a vehicle for delivery of attacks is extremely popular, and has been for a while, according to Stratton.
“It makes sense if one is trying to collect information on an organization that the attacker might be interested in what is arguably the most commonly used and perhaps most critical collaboration tool,” he said.
In terms of next steps for the government, Fitzgerald said the information gathered from the attacks should be used to investigate whether other areas of the infrastructure have been compromised and look for similar fingerprints in other information systems.
Stratton added that he expects the State Department will be doing a damage assessment to determine what exactly was breached, and the sensitivity and implications of that, as well as developing a remediation plan.
“The question in situations where there is a large set of stored information is, Is there some way that the consistent use of encryption might have prevented the loss of some of this information?” Stratton said. “That is no panacea either, but it can sometimes help to make extracting information through an attack more difficult for the attacker.”
I would imagine an organisation like the State Department has access to some pretty hot forensics/incident response teams though, so they should be able to a fairly quick and thorough investigation of what happened.
That is if it was handled properly and the evidence of tampering hasn’t already been destroyed by some heavy handed internal IT support staff member turning off servers and unplugging switches.
They should have a pretty tight IRP in place to handle things like this though, so the chain of evidence should be pretty legit. Yah, that was an awful lot of ‘shoulds’.