I was as surprised as most when FBI Director Comey recommended no charges for Clinton over her email server shenanigans. I thought there would be more comments about the way she had the email server sterilized before it was handed over to the FBI. Smells like obstruction of justice to me. To make matters worse, the sterilization sabotaged efforts to investigate the massive 2014 breach of the State Department email system. This 19 Feb 2015 article from the Wall Street Journal touches on the extent of that breach.
Three months after the State Department confirmed hackers breached its unclassified email system, the government still hasn’t been able to evict them from the department’s network, according to three people familiar with the investigation. Government officials, assisted by outside contractors and the National Security Agency, have repeatedly scanned the network and taken some systems offline. But investigators still see signs of the hackers on State Department computers, the people familiar with the matter said. Each time investigators find a hacker tool and block it, these people said, the intruders tweak it slightly to attempt to sneak past defenses.
Investigators believe that hackers first snuck into State Department computers last fall after an employee clicked on a bogus link in an email referring to administrative matters, a type of attack known as a “phish.” That loaded malicious software onto the computer—a common hacker trick that has worked in countless corporate and government breaches.
From there, the hackers spread through the State Department’s sprawling network that includes machines in thousands of offices across the U.S., embassies and other outposts. It isn’t clear why the hackers were able to gain such wide access and whether the State Department routinely cordons off portions of its network to limit such maneuvers. (WSJ)
Could Clinton’s basement email server have been the key that allowed the wider DOS system hack? Unfortunately, the answer to that depends on your political position. We’ll never know for sure since that server was sterilized before it could be analyzed. The open source articles of a year ago attribute the hack to a DOS employee who opened a phishing email enclosure. Could be, but I doubt that’s the end of the story. Why were the DOS and NSA still having trouble eradicating the hostile code in the system months after discovering the breach? Well it’s my not so humble (in this case) opinion that the NSA and DOS are fools if they believe this phishing attack is the only source of malicious code in this system. Prior to Clinton even becoming Secretary of State, I knew hackers were infesting the DOS system and many other government systems. Most of these were kids, although some had government connections. They were in the routers and switches. I bet they’re still there. That’s far more insidious than hacking email servers.
At the time, this DOS breach was billed as the worst attack ever against a government agency. Unfortunately the DOS didn’t hold that dubious record for long. The OPM breach was announced in April 2015. This 8 Jun 2015 article from Ars Technica, “Why the “biggest government hack ever” got past the feds,” is quite informative.
In April , federal authorities detected an ongoing remote attack targeting the United States' Office of Personnel Management (OPM) computer systems. This situation may have gone on for months, possibly even longer, but the White House only made the discovery public last Friday. While the attack was eventually uncovered using the Department of Homeland Security's (DHS) Einstein—the multibillion-dollar intrusion detection and prevention system that stands guard over much of the federal government's Internet traffic—it managed to evade this detection entirely until another OPM breach spurred deeper examination.
While anonymous administration officials have blamed China for the attack (and many in the security community believe that the attack bears the hallmark of Chinese state-sponsored espionage), no direct evidence has been offered. The FBI blamed a previous breach at an OPM contractor on the Chinese, and security firm iSight Partners told The Washington Post that this latest attack was linked to the same group that breached health insurer Anthem.
The OPM hack is just the latest in a series of federal network intrusions and data breaches, including recent incidents at the Internal Revenue Service, the State Department, and even the White House. These attacks have occurred despite the $4.5 billion National Cybersecurity and Protection System (NCPS) program and its centerpiece capability, Einstein. Falling under the Department of Homeland Security's watch, that system sits astride the government's trusted Internet gateways. Einstein was originally based on deep packet inspection technology first deployed over a decade ago, and the system's latest $218 million upgrade was supposed to make it capable of more active attack prevention. But the traffic flow analysis and signature detection capabilities of Einstein, drawn from both DHS traffic analysis and data shared by the National Security Agency, appears to be incapable of catching the sort of tactics that have become the modern baseline for state-sponsored network espionage and criminal attacks. Once such attacks are executed, they tend to look like normal network traffic. (Ars Technica)
The cyber defense community put all its eggs into the Einstein basket. Isn’t that the American way? They put all their hopes and dreams into a massive technical solution. I was a voice in the wilderness arguing for a stronger HUMINT effort. Oh well. Rage against the machine.
This 29 Sep 2015 Washington Post article shows a real life impact of this attack. I wrote of some of the potential impact of this data breach some time ago.
The CIA pulled a number of officers from the U.S. Embassy in Beijing as a precautionary measure in the wake of the massive cybertheft of the personal data of federal employees, current and former U.S. officials said. The move is a concrete impact of the breach, one of two major hacks into Office of Personnel Management computers that were disclosed earlier this year. Officials have privately attributed the hacks to the Chinese government. Because the OPM records contained the background checks of State Department employees, officials privately said the Chinese could have compared those records with the list of embassy personnel. Anybody not on that list could be a CIA officer. (Washington Post)
This 31 Aug 2015 Ars Technica article, “China and Russia cross-referencing OPM data, other hacks to out spies,” alludes to something that I discovered through my time exploring the world of hackers. They are different. They decide who they will trust, share with, hide from and lie to based on their own thought processes and mores. Russian and Chinese intelligence and cyber security agencies have tolerated and sometimes embraced this difference much more effectively than our own IC.
The identities of a group of American technical experts who have provided assistance to covert operations by the US government overseas have been compromised as the result of cross-referencing of data from the Office of Personnel Management (OPM) and other recent data breaches, according a Los Angeles Times report. The Times' Brian Bennet and W. J. Hennigan cited allegations from two US officials speaking under the condition of anonymity that Chinese and Russian intelligence agencies have worked with both private software companies and criminal hacking rings to obtain and analyze data. (Ars Technica)
I wrote this post and assembled these articles partially in response to Colonel Lang’s question, “Who would the Russian “hackers” have been?” Russia, China, Israel, Wikileaks and many other entities have a wealth of information that they can use whenever they want to the best of their advantage. Or one of these entities can get a wild hair up their ass and release something juicy just for shits and grins. Those who we refer to as “non-state hackers” are far more technically sophisticated, ingenious and patient than what we think. They may not be as socially and politically adept as the critters that infest Washington D.C., but that’s what draws me to them. Don’t ever sell them short.
I also wanted to put the consequences of Clinton’s unauthorized basement email server in perspective without excusing her egregious actions in this matter.
As a parting thought, I recommend the USA Network series “Mr.Robot.” It’s the most realistic depiction of the hacker world I’ve seen without actually participating in that world. The second season recently started. Here’s the plot summary from USA Network. That’s a scene from the show in the above picture.
“Young, anti-social computer programmer Elliot works as a cybersecurity engineer during the day, but at night he is a vigilante hacker. He is recruited by the mysterious leader of an underground group of hackers to join their organization. Elliot's task? Help bring down corporate America, including the company he is paid to protect, which presents him with a moral dilemma. Although he works for a corporation, his personal beliefs make it hard to resist the urge to take down the heads of multinational companies that he believes are running — and ruining — the world.”