IT security staff have spent the last few weeks fighting hackers in the White House, after a computer network was breached. But can we tell who was behind the attack?
According to media reports, IT security staff have spent the last few weeks fighting hackers in the White House, after an unclassified Executive Office of the President (EOP) computer network was breached.
Defensive measures taken by the White House’s cybersecurity team to contain the intrusion have resulted in temporary disruption for some services, according to internal memos leaked to the press.
Reports in the Washington Post and Huffington Post share limited details of the alleged attack, and point out that anonymous White House sources are keen to emphasise that there is no evidence that the White House’s classified network has been hacked (which would clearly be more serious).
But even though the breached network wasn’t considered classified, the security team at the White House understandably took the incident seriously – asking some staff to change their passwords, and shutting off intranet and VPN access for a period of time.
Here is part of an internal White House email about the incident, published by the Huffington Post:
In the course of assessing recent threats, we identified activity of concern on the unclassified EOP network. Any such activity is something we take very seriously. In this case, we took immediate measures to evaluate and mitigate the activity. Our actions are ongoing, and some have resulted in temporary outages and loss of connectivity for our users.
Our computers and systems have not been damaged, though some elements of the unclassified network have been affected. The temporary outages and loss of connectivity that users have been experiencing is solely the result of measures we have taken to defend our networks.
What caught my eye though is that the Washington Post report includes a claim that whoever was behind the attack is thought to have been working for the Russian government:
The report goes on to mention recent hacking campaigns that have targeted NATO, the Ukrainian government and US defense contractors – and draws a parallel with those incidents.
Recent reports by security firms have identified cyber-espionage campaigns by Russian hackers thought to be working for the government. Targets have included NATO, the Ukrainian government and U.S. defense contractors. Russia is regarded by U.S. officials as being in the top tier of states with cyber-capabilities.
In the case of the White House, the nature of the target is consistent with a state-sponsored campaign, sources said.
“The nature of the target is consistent with a state-sponsored campaign”. Now, I’m no Sherlock Holmes, but can that be paraphrased to “It was the White House that got attacked, so it was probably a government that did it”?
Although I don’t think anyone would seriously refute that Moscow would definitely be very interested in what goes on at NATO and various other governments, it’s still quite a leap to point the finger of blame at the Russian authorities.
Attribution of internet attacks is *enormously* difficult, as it so simple for those responsible to hide their country of origin, let alone their true identities. As a result, there is a real danger that the wrong country could be blamed – or that an attack isn’t actually the work of a government or intelligence agency at all, but rather a non-state actor.
At the same time, we would be naive to think that Russia wasn’t interested in using the internet to spy on other countries – just as we would be foolish to think that the same tactic isn’t being used by the Americans, the British, the Chinese, the Germans, and so on…
Until more details or some evidence is released, we have to consider that particular allegation unproven.
But if the White House attack is linked to other recent attacks against nation states, that could implicate another of groups, including the so-called Sandworm cyberespionage gang who have been using highly targeted email attacks to infect victims’ systems with the BlackEnergy trojan horse.
Last month, ESET researchers Robert Lipovsky and Anton Cherepanov gave a presentation at the Virus Bulletin conference in Seattle, detailing how the BlackEnergy trojan has evolved over time from having simple DDoS functionality to exploit Word and PowerPoint vulnerabilities and incorporate the ability to spy on targeted computers.
None of us should be surprised that the White House is the victim of internet attacks. It would be my expectation that there are multiple attempts every day to breach its networks, infect the computers of staff working for the US President, and denial-of-service attacks launched against its website.
But the tone of the White House’s internal email suggests that this particular attack has been of greater significance, and resulted in longer disruption to computer services than normal.
Frustratingly, whoever was really behind the attack may remain a mystery forever.