The US State Department has revealed that hackers stole data from its network after an employee in Asia opened a mysterious e-mail that allowed them to break into the government’s computer system.

The security breach happened last summer but details have not been revealed until now. A senior State Department official said that sophisticated international hackers had used an elaborate ploy to exploit a design flaw in Microsoft software. Consumers using the same software remained vulnerable until months afterward.

Donald R. Reid, the senior security coordinator for the Bureau of Diplomatic Security, also confirmed that a limited amount of US Government data was stolen by the hackers before tripwires severed all the State Department’s internet connections throughout eastern Asia. The shut-off left government offices without web access in the weeks preceding missile tests by North Korea.

Mr Reid is expected to tell a congressional cybersecurity hearing today that an employee in the State Department’s Bureau of East Asian and Pacific Affairs opened an e-mail message in late May that gave hackers access to the government’s network.

He is not expected to disclose the identities or nationalities of the hackers believed to have been responsible for the break-ins, or to disclose whether American authorities believe a foreign government was responsible.

Bennie Thompson, the chairman of the Homeland Security Committee, said hackers are no longer considered harmless, bored teenagers: “These are experienced, sophisticated people who are trying to exploit our vulnerabilities and gain access to our information.”

The mysterious State Department e-mail appeared legitimate and included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, Mr Reid said. By opening the document, the employee activated hidden software commands establishing what Mr Reid described as backdoor communications with the hackers.

The technique exploited a previously unknown design flaw in Microsoft’s Office software, Reid said. State Department officials worked with the Homeland Security Department and even the FBI to urge Microsoft to develop a protective software patch, but the company did not offer the patch until August 8, about eight weeks after the break-in.

Microsoft said it works as quickly as it can to provide customers with security updates. “If we release a security update that is not adequately tested, we could potentially put customers at risk, especially as the release of an update can lead to reverse-engineering the fix and lead to broader attacks,” Phil Reitinger, Microsoft’s senior security strategist, said. “Updates must be able to be deployed by customers with confidence.”

At the time, Microsoft described the software flaw as “a newly discovered, privately reported vulnerability,” but did not suggest any connection to the US government break-in. It recommended that consumers should not open or save Microsoft Office files they receive from sources they do not trust or files they receive unexpectedly from trusted sources.

The State Department detected its first break-in immediately, Mr Reid said, and worked to block suspected communications with the hackers. During its investigation, however, it discovered new break-ins at its Washington headquarters and other offices in East Asia.

At first, the hackers did not appear to be trying to steal government data and the authorities quietly monitored the hackers’ activity. Then tripwires severed internet connections in the region after a limited amount of data was detected being stolen, Mr Reid said.

He also complained the State Department’s efforts to deal quietly with the break-in were disrupted by news reports. “We were successful here until a newspaper article telegraphed what we were dealing with,” he said.

Times recommends

• Point-and-go computers consign mouse to history
• YoYotech Fi7epower: the world's fastest PC
• Bridging the gap between mind and machine