Over a 24-hour period, top U.S. cyber defenders engaged in a pitched battle with Russian hackers who had breached the unclassified State Department computer system and displayed an unprecedented level of aggression that experts warn is likely to be turned against the private sector.

Whenever National Security Agency hackers cut the attackers’ link between their command and control server and the malware in the U.S. system, the Russians set up a new one, current and former U.S. officials said.

The new details about the November 2014 incident emerged recently in the wake of a senior NSA official’s warning that the heightened aggression has security implications for firms and organizations unable to fight back.

“It was hand-to-hand combat,” said NSA Deputy Director Richard Ledgett, who described the incident at a recent cyber forum, but did not name the nation behind it. The culprit was identified by other current and former officials. Ledgett said the attackers’ thrust-and-parry moves inside the network while defenders were trying to kick them out amounted to “a new level of interaction between a cyber attacker and a defender.”

[State Department shuts down its email system amid concern about hacking]

But Russia is not the only top-tier cyber power flexing its muscles in this way, said other current and former senior officials, speaking on condition of anonymity to discuss sensitive matters.

In recent years, China and to a lesser extent Iran have become more aggressive in their efforts to break into U.S. computer systems, giving fight to defenders from within the network and refusing to slink away when identified, the current and former officials said.

Ledgett, speaking at the Aspen Institute last month, placed the State Department incident in late 2015. But officials at the NSA, which defends the government’s national security computer systems, clarified that it took place in 2014.

Fortunately, Ledgett said, the NSA, whose hackers penetrate foreign adversaries’ systems to glean intelligence, was able to spy on the attackers’ tools and tactics. “So we were able to see them teeing up new things to do,” Ledgett said. “That’s a really useful capability to have.”

The State Department had to shut down its unclassified email system for a weekend, ostensibly for maintenance purposes. That was a “cover story,” to avoid tipping off the Russians that the government was about to try to kick them out, said one former U.S. official.

The NSA defenders, aided by the FBI, prevailed over the intruders, who were working for a Russian spy agency. Private sector analysts have given the hacking group various names, including Cozy Bear, APT29 and The Dukes. That group also compromised unclassified systems at the White House and in Congress, current and former officials said.

[Russian government hackers breach White House computers]

The NSA was alerted to the compromises by a Western intelligence agency. The ally had managed to hack not only the Russians’ computers, but also the surveillance cameras inside their workspace, according to the former officials. They monitored the hackers as they maneuvered inside the U.S. systems and as they walked in and out of the workspace, and were able to see faces, the officials said.

The Russians’ heightened belligerence is aimed not just at collecting intelligence, but also confronting the United States, said one former senior administration official. “They’re sending a message that we have capabilities and that you are not the only player in town,” said the official.

The operation was also an attempt to probe U.S. capabilities, said a second former senior official. “If they can test you in an unclassified network, they can start to test you in a classified network,” he said. “They want to see, is the U.S. government willing to escalate against us? It’s all tactics and looking at responses — not just of an organization. It’s what is the U.S. government willing to do?”

Ledgett said he is concerned that the private sector will not be able to defend itself without greater intelligence being shared from places like the NSA. “We need to figure out, how do we leverage the private sector in a way that equips them with information that we have to make that a fair fight between them and the attacker?” he said.

Michael Daniel, the former White House cybersecurity coordinator and now president of the Cyber Threat Alliance, a nonprofit group, said the issue also highlights how the government and private sector “are going to have to figure out some way to do triage, so that the federal government is focused on the highest threat actors against the highest threat assets.”



Moscow’s assertiveness in 2014 and 2015 reflected a general shift to become more aggressive in its use of cyber tools. In 2015 and 2016, Russian spy agencies hacked the Democratic National Committee’s computers and launched an “active measures” campaign to disrupt the 2016 presidential election, according to U.S. intelligence officials.

China was also stepping up its hacking game in traditional espionage even as it was ratcheting back its operations in commercial cyber theft, the officials said. In September 2015, Chinese President Xi Jinping pledged at the White House that his government’s hackers would not conduct hacking for commercial advantage. Senior U.S. officials have said Beijing appears to have diminished its activity in that realm.



However, as Ledgett noted in an interview at the NSA last month, the agreement applied only to cyber economic espionage. Hacking for political espionage continues. That is “legitimate foreign intelligence,” said Ledgett — something that all countries do, including the United States.