The 2014 Russian hack of an unclassified State Department computer system was much more aggressive than previously reported, with one official describing it as “hand-to-hand combat,” according to an article published Monday by The Washington Post.
Over a 24-hour period, the top US network defenders ejected the invaders repeatedly. Just as quickly, the intruders re-entered the hacked computer system, the news organization reported, citing both named and unnamed officials. Whenever the defenders broke a link between the malware in the infected network and a command-and-control server owned by the hackers, the Russians established a new connection. The new details came amid new warnings from the National Security Agency that Russia is likely to employ the same aggressive tactics against private sectors, which have fewer resources and less expertise to fend off such attacks.
“It was hand-to-hand combat,” said the After said NSA Deputy Director Richard Ledgett. The official described the incident on a recent forum, but he did not name the nation responsible. Russia was identified by other current and former officials. Ledgett, the news organization reported, said that “the attackers’ push-and-flag moves within the network, as defenders tried to kick them out, amounted to ‘a new level of interaction between a cyber-attacker and a defender’.”
The report comes as both Congress and the FBI are investigating allegations that Russian-sponsored hacking was designed to influence the outcome of the 2016 presidential election. At the same time, the NSA warns that Russia is far from the only country posing a serious threat to the security of US-controlled computer networks. In 2015, details emerged of a Foreign Ministry compromise attributed to Iran’s Revolutionary Guards. The attackers used compromised social media accounts of junior State Department employees as part of a phishing operation. That campaign compromised the computers of State Department and Bureau of Near Eastern Affairs employees and the computers of some journalists, according to a report reported by The New York Times.
China and, to a lesser extent, Iran have also become more aggressive in their efforts to penetrate US computer systems. Washington After article said. Both China and Iran sometimes wage a determined fight against defenders from within compromised networks and “refuse to sneak away when identified,” the paper said, citing current and former officials.
Watching the viewers
The NSA learned of the 2014 State Department compromise from an unnamed U.S. ally who had managed to hack into the invaders while their raid was underway. The ally gained access to both the hackers’ computers and the surveillance cameras in their workspace, a feat that allowed U.S. intelligence officials to monitor the intruders as they worked. The After identified the hackers as belonging to APT 29 (aka Cozy Bear) and The Dukes. That group also compromised unclassified systems in the White House and in Congress, current and former officials said.
In November, the same attack group reportedly orchestrated a major spear phishing campaign in the hours after Donald Trump won the presidency. The highly targeted emails “were sent in bulk to various individuals in many organizations and individuals involved in national security, defense, international affairs, public policy, and European and Asian studies,” security firm Volexity reported. “Two of the attacks were allegedly forwarded messages from the Clinton Foundation providing insight and perhaps post-mortem analysis of the election. Two of the other attacks were allegedly eFax links or documents related to the election results being reviewed or manipulated. The latest attack claimed to be a link to a PDF download on ‘Why American Elections Are Flawed.'”
The increased fighting spirit serves at least two purposes. One is collecting information of interest to Russian spies; the other is to confront their American counterparts. “They’re sending a message that we have capabilities and that you’re not the only player in town,” an official said.