Cyber Incident Victim: Executive Office of the President
Date:
Oct 2014
Location:
United States of America
Summary
Russian hackers breached the White House by first compromising the State Department through spear-phishing emails disguised as legitimate communications, which delivered malware to gain persistent network access. The attackers obtained sensitive non-classified information, including presidential schedules, but did not penetrate classified systems due to network segregation. Investigators identified technical evidence suggesting Russian state-sponsored involvement, though no formal attribution was confirmed. The intrusion highlighted vulnerabilities in interconnected government networks and ongoing threats from sophisticated foreign actors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 5 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2014, the White House detected suspicious activity on its network, initiating an investigation involving the FBI, Secret Service, and US intelligence agencies. Investigators determined Russian hackers first breached the US State Department through spear-phishing campaigns impersonating legitimate State Department employees. These emails delivered malware that compromised employee workstations, allowing attackers to establish persistent access on State Department systems. The attackers then leveraged this foothold to pivot into White House networks, employing techniques consistent with state-sponsored operations. Although the White House maintained segregated classified and non-classified systems, the intrusion compromised non-classified but sensitive information, including President Obama’s non-public schedule. Forensic analysis revealed “tell-tale codes” and “markers” indicative of Russian operators, though no additional evidence substantiating the attribution was publicly disclosed. White House Deputy National Security Advisor Ben Rhodes confirmed the separation of classified systems and stated no evidence suggested their compromise, though he declined detailed comment on the breach specifics.
The incident prompted broader US government responses, including President Obama’s April 2015 announcement of sanctions against individuals, nations, and organizations linked to cyberattacks targeting US interests. These measures followed prior sanctions against North Korea for its alleged role in the Sony Pictures breach, though no direct actions were taken against Russia in connection with the White House intrusion at the time of reporting. US officials acknowledged the attackers potentially maintained persistent access within State Department networks even after the White House breach was identified. The intrusion highlighted vulnerabilities in interagency network connectivity, as the compromise of a less-secure entity (the State Department) facilitated access to a high-value target (the White House). CNN reported the investigation remained ongoing, with no public confirmation of full attacker eradication from affected systems.