• United States



Senior Staff Writer

Russian hackers used State Dept. systems to Phish White House staffers

Apr 07, 20152 mins
Advanced Persistent ThreatsCybercrimeData and Information Security

Sources close to the investigation say U.S. State Department used as stepping-stone

 U.S. officials, who have been briefed on the investigation so far, have told CNN that Russian hackers used their access after compromising the U.S. State Department to target sensitive information on the unclassified White House network.

Last October, a White House official told Reuters that suspicious activity had been detected on the Executive Office of the President (EOP) network.

The incident was blamed for an outage on the EOP network a week prior to the story breaking, somewhat aligning with statements given to the Washington Post by officials who noted that the problems on the unclassified network were caused by hackers out of Russia.

CNN’s story however, adds new details to the previous coverage. While the blame is still centered on actors out of Russia, the unclassified network that was breached held sensitive information the hackers are said to have had access to, including real-time non-public details of the president’s schedule.

While the president’s schedule isn’t classified, it’s still a type of information that intelligence and administration officials would rather not be shared with someone outside of the loop.

The White House intrusion is said to have been possible, because the same group of actors had previously compromised the email systems at the U.S. State Department. Around the same time that officials in the White House noticed suspicious activity, the State Department was also investigating a similar incident.

Investigators told CNN that the actors had “owned” the State Department for months, and it isn’t clear if their access has been completely removed. Given the access, investigators believe that someone at the White House fell for a Phishing attack, which resulted in the additional breach.

Shortly before both incidents last October, FireEye released a report focused on APT28, a group believed to be from Russia known for using Spear Phishing as one of their tactics. They’ve been active for at least six years, and focus their energy on targets that are of interest to the Russian government.

“APT28’s characteristics—their targeting, malware, language, and working hours—have led us to conclude that we are tracking a focused, long-standing espionage effort. Given the available data, we assess that APT28’s work is sponsored by the Russian government,” the FireEye report concluded.