According to State Department spokesman Kurtis Cooper, “the department did detect anomalies in network traffic, and we thought it prudent to ensure our system’s integrity.” The facts of these ‘anomalies’ are scarce but do help shed some light on who may be responsible for the break-ins and what the attackers’ motive might have been.
During July 2006, the US Department of State suffered ‘large-scale’ intrusions of its unclassified computer network. These intrusions appeared to target the State Department’s Bureau of East Asian and Pacific Affairs. Media sources reported that the attackers may have stolen computer account passwords and other sensitive information. Moreover, it appears that the attackers installed ‘back doors’ into the State Department’s unclassified network, presumably so they could reenter the network with ease. Portions of the State Department’s network were taken offline, and the State Department reportedly disabled Secure Socket Layer (SSL) connections to the Internet.
The combination of the following pieces of evidence has led to intense speculation that China , North Korea , or both working together were responsible for the attacks and reported theft of sensitive government information. First, the apparent target of the attacks was the Bureau of East Asian and Pacific Affairs, which monitors developments in both countries. Second, the attack occurred during the run-up to North Korea’s recent missile test and, therefore, occurred at a time that both China and North Korea were interested in knowing US plans and intentions. Third, the presence of a North Korean government-sponsored ‘hacker university’ (source) demonstrates that the North Korea has the skill to carry out electronic espionage. Finally, the belief that the Chinese government tacitly either approved or sponsored electronic attacks against the US Department of Defense demonstrates that China is also capable of this type of attack.
While these facts warrant suspicion of China’s and/or North Korea’s complicity, they do not conclusively prove either country’s involvement in electronic intrusions. Even if these intrusions are traced back to computers in China or North Korea, it is difficult to assign attribution to the Chinese or North Korean government because hackers not affiliated with either government may have been hijacking open computers within these countries to stage the attack.
Also, it is likely that a country with an established cyber warfare capability such as China or North Korea would not be detected with such apparent ease during an attack. The reports that the State Department disabled the SSL connection may indicate that the attackers were attempting to ship stolen data out via this port. As this port is used for routine Internet traffic, an experienced attacker would expect this port to be monitored but at the same time offer the attacker the ability to hide within an abundance of legitimate traffic.
It is premature to speculate as to who was responsible for the attacks against the State Department. Instead, the focus should be on the US government’s responsibility to prevent and mitigate the effects of these types of intrusions. Not surprisingly, the State Department received an “F” for its 2005 computer security report card. This poor grade indicates that the State Department was an easy target for any attacker and, therefore, deserves to shoulder partial responsibility for the theft of information. It is likely that this attack would not have been as successful had State followed a routine patch management and standard defense in depth strategy.