"This has impacted some of our unclassified email traffic and our access to public websites from our main unclassified system," an unidentified State Department official told the New York Times.
"We detected activity of concern several weeks ago," State Department spokesman Jeff Rathke told Reuters.
Still, Rathke said, "We have no reason to believe classified information was compromised."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Rathke said the breach appears to be connected to the late October 2014 breach of the White House's computer network.
According to Reuters, while the breach was detected several weeks ago, the State Department's unclassified email system wasn't shut down until this past weekend during previously scheduled maintenance.
Neohapsis senior security consultant Nathaniel Couper-Noles told eSecurity Planet by email that it may well have taken the department that long to verify the breach. "These days, sophisticated hackers may sometimes leave little or no trace of their activities on the systems they attack," he said. "Many businesses may not know they are vulnerable or infiltrated until they are alerted by external parties."
"System monitoring tools can help, but it is often challenging to validate system behavior because the state of affairs is that many systems (both hardware and software, external and in-house) are not well documented," Couper-Noles added. "It often takes considerable research and investment to nail down the details."
The Washington Post reports that "duty officers were using Gmail accounts" while the email system was shut down.
John Fitzgerald, CTO for North America at Wave Systems, told eWeek that the State Department's email system would be a logical target for a wide range of hackers. "An email system contains not only information regarding users in the directory services, but also a wealth of information in the emails themselves," he said. "So if an attacker is able to gain access to internal data repositories -- databases, email systems and file stores -- a great amount of direct and indirect information can be gathered."
"It makes sense if one is trying to collect information on an organization that the attacker might be interested in what is arguably the most commonly used and perhaps most critical collaboration tool," Fitzgerald added.
The breach is the latest in a recent series of attacks on U.S. government websites. The White House attack was attributed to Russian hackers, and recent breaches at the National Oceanic and Atmospheric Administration and the U.S. Postal Service were attributed to China.
RedSeal CTO Dr. Mike Lloyd told eSecurity Planet by email that there's one piece of good news to take from the breach: network segmentation works. "From statements released so far, it’s pretty clear that the department does not understand every detail of the breach as yet, and are still looking into what might have been affected, and yet in the same releases, they can categorically say that classified systems were not affected," he said. "Why? Because they have strong network segmentation in place, containing the damage to only a part of their network."
"Once, it was common practice to 'air gap' critical networks, but this has largely broken down, as even the critical networks need to be connected into the wider world," Lloyd added. "Nowadays, smart organizations are moving to enforce strong internal boundary protections, to isolate the most critical parts of a network from the wider parts. This is the same defensive planning that military strategists have used for thousands of years -- build a perimeter, plan for what happens after it is breached, and build an internal keep for the most important assets."