The Wall Street Journal reports that the U.S. State Department hasn't been able to remove attackers from its network fully three months after a mid-November 2014 breach that forced the department to shut down its entire unclassified email system.
Although officials have worked with the National Security Agency and outside contractors to scan the department's network, and have taken some systems offline, investigators are continuing to see signs of the hackers on State Department computers.
According to the Journal, every time investigators block an attack tool, the hackers tweak the code slightly to avoid detection, then try to get back in.
Investigators told the Journal that it's not yet clear how much data the attackers have taken. Even though the hackers apparently only accessed unclassified email, that still could provide them with access to sensitive information.
And while no official statement has been made about who may have been involved, five people familiar with the details of the breach told the Journal there were links indicating involvement by the Russian government in the attack.
The malware used was similar to tools used by Russia in the past, and the attack appears to be similar to a recent breach of the White House network, which was also linked to Russia.
"We deal successfully with thousands of attacks every day," State Department spokesperson Marie Harf told the Journal. "We take any possible cyber intrusion very serious -- as we did with the one we discussed several months ago -- and we deal with them in conjunction with other relevant government agencies."
Dr. Mike Lloyd, CTO at RedSeal, told eSecurity Planet that the State Department's challenges in removing the attackers should be a lesson for all organizations as they scale up. "Ask any public health official -- to quarantine one house is easy enough, but to root out a disease across a city is far harder," he said. "The Department of State has special pressures, since embassies operate in almost every country in the world, but any large company suffers similar problems."
"Many modern attacks start by fooling a human -- well-crafted phishing attacks are the new normal," Lloyd added. "But compromising one laptop doesn’t generally get the attacker what they want, so they move laterally, looking for a solid hand-hold beyond the initial toe-hold. In fast-moving, modern infrastructure, there is always a weakest server for them to find, and attackers can search for whatever is maintained the least well. This fan-out creates real headaches for defenders, even after a breach is confirmed."
"The only practical response is to map out weaknesses ahead of a breach -- to know where the pockets of infection are likely to be, so that you can efficiently root them out," Lloyd said.
Photo courtesy of Shutterstock.