Nearly four months after revealing a breach, the U.S. Department of State said on Friday that it was taking down parts of its internet-linked systems in a “short, planned outage” as port of its “ongoing effort to ensure the integrity of [its] unclassified networks against cyber attacks.”
According to a statement, the agency “continues to closely monitor and respond to activity of concern on our unclassified network.” It reiterated earlier claims that “there has been no compromise of any of the Department's classified systems, nor of our core financial, consular, and human resource systems.”
In November the State Department detected “activity of concern” lurking in its systems since October, around the same time as the White House computer network breach. The two incidents appeared to be tied, Jeff Rathke, State Department spokesman, told the Associated Press last fall. The attack on State didn't include any classified systems, the department said at the time.
In February it was discovered that the agency was still grappling with the attackers and had not been able to ouster them from its network. From activity found on the network by outside contractors, it appeared that the attackers were staying a step ahead of the government, modifying the tools they were using to avoid security measures.
“We are leading a team of dedicated experts from other agencies and the private sector that are working around the clock to protect the Department's data,” the agency said in its most recent statement. “We are simultaneously implementing a strategy to harden the Department's infrastructure to better protect its data not only today and tomorrow, but well into the future.”
But Paul Martini, CEO of iboss Cybersecurity, in an emailed statement to SCMagazine.com, noted that “while the State Department claims it is removing the final remnants of the malware, the real question is, ‘how much data could have left the network in those vulnerable months?'”
Acknowledging that any organization with an internet-connected system is likely to be breached, Martini said “That does not make it acceptable for gigabytes of data to potentially leave the network in the gap of time it takes to address the malware.”
He said the primary focus should be on “where is the malware and what the malware is trying to do."