Gharun Lacy 

In June 2023, what appeared to be a routine anomaly inside the State Department’s email systems was quickly identified as a sophisticated cyber intrusion that had the potential to escalate into a global threat.  

At the center of the response was Gharun Lacy, deputy assistant secretary at the State Department’s Directorate for Cyber and Technology Security, who, along with his team, unraveled the attack and shut it down in just 10 days—far faster than the months or even years such breaches often persist undetected.  

“It started as a relatively common anomaly,” recalled former federal chief information security officer Chris DeRusha. “What was so impressive was the capability built over years to be able to detect and understand the anomaly as something potentially concerning and Gharun’s leadership instincts and judgment to act.” 

That anomaly turned out to be a highly targeted operation called Storm-0558, with ties to China, that used a stolen encryption key to gain access to Microsoft cloud email accounts. While the attackers initially focused on a small group of U.S. government officials working on China policy, the broader implications were far more alarming. 

“Any user of a Microsoft cloud product was exposed,” Lacy explained, noting that the platform served more than 300 million users worldwide.  

Ambassador Gentry Smith, then director of the State Department’s Diplomatic Security Service, said the speed and precision of the response was no accident. Years earlier, Lacy’s team had begun building custom detection tools based on past incidents—alerts designed to flag even subtle irregularities. One of those alerts triggered the investigation that exposed the breach.  

“Had they not discovered the manner in which we were being attacked, this could have gone undetected for a much longer period of time,” Smith said.  

Once the breach was identified, Lacy coordinated an intense, around-the-clock response that brought together federal agencies, international partners and private-sector engineers. Within hours, a task force was operational and Lacy had consulted with the Five Eyes Cyber Cohort he created several years earlier to enable real-time information sharing among allied nations. Within days, Lacy’s team had traced the intrusion back to its source.  

“Everybody got to the table,” Lacy said. “Microsoft was at the table with us. Sister agencies were at the table with us. The FBI was at the table with us. The intel community was at the table with us. Five Eyes partners were at the table with us.”  

The stakes extended beyond government emails. With access to core cloud systems, attackers could have expanded their reach, disrupted services, or harvested sensitive data for future use. Lacy’s team not only halted the intrusion but also helped identify affected users and strengthen defenses across the broader ecosystem.   

For Lacy, whose career began in surveillance countermeasures, hunting for listening devices in embassy walls and ceilings around the world, the work has always come back to the same mission: “Protect the people, protect the property, protect the data.”  

Getting to test his team against the world’s most sophisticated adversaries, Lacy added, is simply “icing on the cake.”