Details released this week of a 2014 breach of a White House network described at the time as unclassified now suggest that the attackers were able to access sensitive information, including the President’s personal schedule. CNN reports that these same attackers earlier successfully hacked the U.S. State Department, causing a shutdown of the entire email system, among other consequences, and that the second detected breach built upon the first. Numerous U.S. security departments have called the activity, carried out by Russian hackers with suspected governmental ties, “among the most sophisticated” they’ve seen, according to CNN.
Further shutdowns of the State Department’s systems have been instituted in the months since the attack was first detected, reports CNET, in order to find more malicious software believed to be deposited by the Russians.
Why does all this matter to your enterprise?
With the knowledge that the attacks included successful spearphishing of authorized users of sensitive data, organizations of all sizes would be wise to examine their own state of preparedness. McAfee discusses the White House breach and offers a list of action items that are useful for both large organizations and individuals: Learn the signs of a phishing attack; use comprehensive security; when you can, use multi-factor authentication; and test your detection skills.
But truly, that is work that you should already be doing. The bigger picture is well-described by MWR InfoSecurity Senior Security Researcher Mike Auty, writing at InfoSecurity Magazine. Nation-state attacks are already being carried out against your company, the malware has already been deposited – probably long ago – and the reaction to this situation is not the same as what your organization would normally carry out in other security-related scenarios:
“By assessing the experience of prior victims of nation-state attacks, it’s clear that there needs to be a change in mind-set in how businesses use and protect IT. Instead of seeing attacks as unusual events brought about by people out to do us direct harm, where our emotions and reflex actions overtake reasoned and rational thinking, these attacks should be viewed as part and parcel of doing business.”
Consider the State Department and White House breaches. Even though the second breach wasn’t fully prevented, we can assume that it was likely observed in real time by security teams monitoring the malware deposited by the Russian hackers in order to gain as much information as possible. Where companies normally detect an anomaly, suspect a breach, and “immediately take the stance that there is someone on their systems trying to do something bad to them, and therefore they want it stopped and gone as soon as possible,” Auty wants more of them to add “a more fruitful approach” when the breach appears to possibly be some sort of nation-state-related occurrence.
In the same way that the attackers probably took their time entering a system, and then took their time to look around to see what they had, the affected company only makes the situation worse if it immediately sounds any type of alert that the system breach has been detected and will be rooted out. Better, says Auty, to learn everything there is to learn about the malware and its functions: Isolate it, monitor it, study it. Take the upper hand by determining what’s been done and where traffic is headed. Every opportunity to determine the reason for such an attack adds to the IT organization’s depth of knowledge and the strength of the system’s design.
Kachina Shaw is managing editor for IT Business Edge and has been writing and editing about IT and the business for 15 years. She writes about IT careers, management, technology trends and managing risk. Follow Kachina on Twitter @Kachina and on Google+