April 4, 2017
It Took ‘Hand to Hand’ Cyber Combat for NSA to Remove Russian Hackers From State Department Networks
By Ellen Nakashima, Washington Post
Whenever National Security Agency hackers cut the attackers’ link between their command and control server and the malware in the U.S. system, the Russians set up a new one, current and former U.S. officials said.
The new details about the November 2014 incident emerged recently in the wake of a senior NSA official’s warning that the heightened aggression has security implications for firms and organizations unable to fight back.
“It was hand-to-hand combat,” said NSA Deputy Director Richard Ledgett, who described the incident at a recent cyber forum, but did not name the nation behind it. The culprit was identified by other current and former officials. Ledgett said the attackers’ thrust-and-parry moves inside the network while defenders were trying to kick them out amounted to “a new level of interaction between a cyber attacker and a defender….”
Fortunately, Ledgett said, the NSA, whose hackers penetrate foreign adversaries’ systems to glean intelligence, was able to spy on the attackers’ tools and tactics. “So we were able to see them teeing up new things to do,” Ledgett said. “That’s a really useful capability to have.”
The State Department had to shut down its unclassified email system for a weekend, ostensibly for maintenance purposes. That was a “cover story,” to avoid tipping off the Russians that the government was about to try to kick them out, said one former U.S. official.
The NSA defenders, aided by the FBI, prevailed over the intruders, who were working for a Russian spy agency. Private sector analysts have given the hacking group various names, including Cozy Bear, APT29 and The Dukes. That group also compromised unclassified systems at the White House and in Congress, current and former officials said.
The NSA was alerted to the compromises by a Western intelligence agency. The ally had managed to hack not only the Russians’ computers, but also the surveillance cameras inside their workspace, according to the former officials. They monitored the hackers as they maneuvered inside the U.S. systems and as they walked in and out of the workspace, and were able to see faces, the officials said.