NSA: Nation State Cyber Attack Included Virtual ‘Hand-to-Hand Combat’

Richard Ledgett / Getty Images

Foreign government hackers caught secretly breaking into a U.S. national security network waged a 24-hour battle with cyber security officials trying to counter the cyber attack, the deputy director of the National Security Agency said Tuesday.

Richard Ledgett, a veteran cyber spy who will retire soon as NSA’s No. 2 official, said the virtual battle inside a U.S. government computer network in late 2015 represented a new phase in the ongoing covert cyber wars.

“It was a nation state actor who had gotten in and what we saw for the very first time, the adversary, once we detected them, instead of disappearing they fought back,” Ledgett said during a conference on cyber threats.

“So it was basically hand-to-hand combat in a network where we would take an action [and] they would then counter that,” he said.

Ledgett declined to identify the nation state or the government agency involved in the cyber battle.

The incident involved NSA cyber defenders who detected the hackers and were able to remove the command and control channel the hackers used to control malicious software that had been installed.

After the malware was removed, the hackers were able to counter the security measure by introducing a new channel to control the network.

“Actually one of the advantages NSA brings to this is our defenders also have access to our foreign intelligence capabilities so we were out in adversary space so we were able to see them teeing up new things to do,” Ledgett said.

For around 24 hours, NSA cyber officials fought off the sophisticated hackers in a thrust-and-parry cyber fight.

“That’s a new and novel interaction between a cyber attacker and a defender,” he said. “So that was a little bit of a game changer.”

Ledgett said the current government system for responding to cyber attacks is broken and hamstrung by bureaucratic red tape.

Government agencies need better integration and more agility in responding to cyber attacks.

The NSA deputy chief compared the problem to a burning house.

“A current model is a house catches on fire, you call the mayor to see if he can call the water department to turn on the water,” Ledgett said.

“Then you go to the city council to get funding so the fire department can send a truck to the house. By the time that happens, your cyber house has burned down.”

The current system is “not one that is going to be successful going forward, so we need something different.”

Government needs a new entity with people, authorities, and capabilities that can be used quickly “without having to go back to headquarters and ask for a ‘mother, may I,’ each time,” he said.

Another shortcoming is that the largest repository of cyber security knowledge—the U.S. government, Defense Department, and the military’s Cyber Command—are constrained from assisting the private sector, where most critical infrastructure is owned.

The gap between the government’s capabilities and those of the private sector needs to be closed within legal and intelligence constraints, Ledgett said.

Ledgett said there are three general categories of cyber threats: Theft of information through government or private sector cyber espionage, denial of service attacks, and destructive attacks.

Ledgett said Russia poses the most sophisticated nation state cyber threat, followed by China. Iran and North Korea represent other nation state cyber threats.

Last week, the Justice Department indicted four Russians—two FSB intelligence officers and two criminal hackers—for breaking into 500 million Yahoo email accounts. The case highlighted the increasingly blurred lines between nation state and criminal cyber threats.

Paul Abbate, the FBI assistant director in charge of the cyber crime branch, appeared with Ledgett. He said the Yahoo case highlighted the “blended threat” of government-criminal hackers.

Abbate said the FBI needs to focus more on protecting elections and political campaigns from attacks in anticipation of future cyber attacks such as the Russian election influence operation.

The FBI, NSA, and CIA issued a report in January that described a cyber-enabled influence campaign carried out by Russia’s FSB security service and GRU military intelligence service to influence the outcome of the presidential campaign.

FBI Director James Comey confirmed to Congress on Monday that FBI counterintelligence agents are investigating whether Trump campaign aides collaborated with the Russians in the operation.

Ledgett said the evidence that Moscow directed an election hacking operation to influence the 2016 presidential election is “irrefutable.”

Similarly, Ledgett said North Korea’s role in the December 2014 cyber attack against Sony Pictures Entertainment had been confirmed conclusively.

Ledgett said cyber security analysts recently linked North Korean hackers operating under the code name Lazarus to a cyber attack carried out on a Bangladesh bank that netted the communist state around $100 million.

The hackers involved in the bank attack were “tied forensically” to the hackers behind the Sony Pictures attack, he said.

The hackers exploited the Society for Worldwide Interbank Financial Telecommunication, known as the SWIFT bank transfer system, to electronically siphon $950 million from a Bangladesh bank, but bank security stopped $850 million of the theft.

Other banks in Asia also were hit by the North Korean hackers.

The cyber security firm BAE Systems, in a report, identified distinctive computer code that was used by Lazarus hackers to erase their tracks in the Bank Bangladesh heist as similar to malware detected in the Sony attack.

The heist is believed to be the first-known nation state cyber attack on a bank aimed at financial gain.

Ledgett was asked about the emerging threat posed by the “Internet of Things,” or the thousands of Internet-linked devices from video cameras to medical devices.

Currently, Ledgett said, all cellular devices are banned from NSA headquarters at Fort Mead, Md. However, some employees use Internet-linked medical devices and the agency is grappling with how to allow those devices to be used.