The theft of up to 4 million sensitive federal employees’ records maintained by the Office of Personnel Management (OPM) likely had a lot more to do with a foreign government’s spying and espionage activities than anything else, US counterintelligence authorities told Homeland Security Today on background because they aren’t authorized to officially discuss the matter.
The breached OPM network is where the agency stores applications for security clearances as well as personal information such as financial data, former jobs, past drugs use and foreign contacts of employees. OPM also oversees the security clearance process for many federal employees by using an electronic system called e-QIP, a Web-based, automated system designed to process standard investigative forms for conducting background investigations.
Stored in e-QIP is extensive personal data, including applicants’ financial histories and investment records, children’s and relatives’ names, foreign contacts, past residences and names of neighbors and close friends. Agencies use the information from e-QIP to conduct background investigations of employees in order to determine whether they should be granted security clearances or have them updated.
Such information would be invaluable to a foreign intelligence service, which potentially could find information in these files that could be used to blackmail or otherwise compromise targets to recruit as spies, as Homeland Security Today reported earlier this week in the matter of Russia’s suspected hacking into an IRS network that has raised questions about foreign spy recruitment and blackmail efforts using such information.
US law enforcement officials have said all signs in the OPM attack point to a “foreign entity or government,” which these officials strongly believe involved a Chinese connection. China has been implicated in previous hacks into sensitive US computer networks.
Last July, Chinese hackers were reported to have penetrated government computer networks earlier that year in an attempt to access the personal information of tens of thousands of government employees who have applied for top-secret security clearances.
According to reports, Chinese attackers penetrated OPM as far back as March, 2014 before federal authorities detected and blocked the attacks.
A representative at OPM said at the time that monitoring systems alerted the agency as well as the Department of Homeland Security (DHS) to the breach in mid-March, 20-14. Neither DHS nor OPM at that said they’d “identified any loss of personal identifiable,” however.
A senior DHS official who requested not to be named confirmed the intrusion, but said the extent of the breach hadnot yet been determined at the time. However, an emergency response team was assigned to “assess and mitigate any threats identified.”
A Pentagon report released in April said hackers last year associated with the Chinese government repeatedly targeted US military networks seeking intelligence information.
Beijing was quick to deny the Chinese government had any role in the OPM hacks. At a news briefing Friday, China’s foreign ministry spokesman Hong Lei branded the accusations irresponsible and unscientific.
A year ago, though, the Department of Justice indicted five Chinese military hackers for computer hacking, economic espionage and other cybercrimes directed at six American victims in the US nuclear power, metals and solar products industries. And last July, a Chinese businessman was charged with conspiring to obtain unauthorized access to the computer systems of The Boeing Company and other US companies in an attempt to steal data related to dozens of US military projects.
Within the last year, OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks. As a result, in April OPM became aware of the massive security breach affecting data that predated the adoption of these security controls. Officials said the DHS’s EINSTEIN intrusion detection system, which screens federal Internet traffic to identify potential cyber threats, identified the hack of OPM’s systems and the Interior Department’s data center, which is shared by other federal agencies.
Since the incident was identified, OPM has partnered with DHS’s US Computer Emergency Readiness Team (US-CERT), and FBI to determine the impact to federal personnel. OPM also immediately implemented additional security measures to protect the sensitive information it manages.
Beginning June 8 and continuing through June 19, OPM will be sending notifications to approximately 4 million individuals whose Personally Identifiable Information was potentially compromised in this incident.
As Homeland Security Today reported earlier this week following the breach of an IRS network in which an untold number of taxpayers’ personal information was stolen that this type of personal information is mostly valuable to a hostile nation-state, terrorist organization or a transnational criminal organization. Matters of financial problems – or a suddenly inordinate influx of unexplained cash – adultery, homosexuality … things like that, ordinarily weigh heavily in the secrecy and spy business. And for very good reason — if you have financial problems or sexual vulnerabilities, you’re prone to blackmail and recruitment. That’s basic spy tradecraft 101.
Homeland Security Today explained that the ability of a hostile foreign power to be able to hack into personal information like health and income tax records, and now OPM records on millions of past and present federal employees – including security clearance background checks for particular programs, operations, etc., – is a counterintelligence goldmine. For example, a spy’s adulterous affair, or an agent’s homosexuality — which in the spy business can still be ruinous to one’s spy career for any number of reasons — or a target’s tax information when combined with the person’s credit report, could reveal financial problems that could be exploited in an attempt to recruit the individual. It’s happened before. And it’s still traditional spycraft, as human nature in these aspects doesn’t change – it’s part of the human condition, or vulnerability in so far as the spying business is concerned.
Last July, the Government Accountability Office (GAO) informed Congress that its auditors “found that about 83,000 Department of Defense (DOD) employees and contractors who held or were determined eligible for secret, top secret or sensitive compartmented information (SCI) clearances, or related interim clearances, had unpaid federal tax debt totaling more than $730 million as of June 30, 2012.”
“If you’re able to combine all that sort of financial information with other information like personnel files and security clearance background data and the like — information like what likely was obtained in the OPM’s security breach – and put it all into one big database, you could run name matching programs and the like and get a very detailed picture of people to potentially try to recruit, blackmail … what have you,” one of senior counterintelligence officials said on background.
“The theft of personally identifiable informationis often linked to financial crimes such as fraud or sale of records on underground markets. However, the OPM incident illustrates a strategic effort to gather data on federal employees — particularly when viewed in light of other recent compromises, such as those that impacted the background investigation firms KeyPoint and USIS,” Ryan Kazanciyan, chief security architect at Tanium, Inc. told Homeland Security Today.
Kazanciyan added, “Nation-state actors conducting espionage could utilize such data to identify cleared personnel and their background history, the organizations that employ them and the people with whom they work. This information could help craft more effective cyber-attacks, such as spear-phishing, as well as direct other human intelligence operations, with the ultimate goal of obtaining access to targeted programs or data.”
“This is more troubling news showing that even the US government isn’t immune from serious breaches. The as of yet unconfirmed number of pilfered records, rumored to be that of over 4 million federal workers, begs the question just how secure access to these databases was. Until we get an official statement from the US government, we can only speculate as to the motives of the hackers, but the fact that the victims are federal employees could point to a nation state led effort,” said Jean Taggart, senior security researcher at Malwarebytes Labs, the research arm of the anti-malware company.
Grayson Milbourne, security intelligence director at Webroot, agreed. He said, “Although details are still coming in, we do know very sensitive data is involved and the attack may have gone on for a prolonged period of time. Until we can understand what level of data access was achieved, we won’t know the full impact. But, based on the characteristics of the attack, it’s likely the perpetrator was a nation-state.”
“Clearly,” he added, “the government’s approach to cybersecurity needs to be reformed, prioritized and accelerated. That the breach might have been carried out by the Chinese does not absolve the OPM of blame. The issue here is the government’s technological failings and what it should be doing to prevent future attacks.”
“The breach at the Office of Personnel Management is an example of the new reality we face where attackers are going after our most sensitive information,” said Eric Chiu, president and co-founder of HyTrust, a cloud control company. “The reported massive breach potentially exposed the personal data of employees in all divisions of the US government, including Department of Homeland Security and employees with top secret security clearances. This will call into question every government employee since this information can be used by nation states and terrorists to identify and target those employees in order to gain access to sensitive environments and data. In addition, as we saw from the recent IRS attack, this data can also be leveraged to steal other confidential information to gain a full financial and personal profile on these employees, putting them at even greater risk.”
“The set of tools being deployed via DHS CDM and EINSTEIN programs will not detect advanced attacks — those that use 0-day exploits,” noted Invincea’s founder and CEO, Anup Ghosh. “Instead, they are useful for discovering known attacks, usually long after the attacker has robbed the shop. The OPM compromise is likely the tip of the iceberg in discovering how pervasively the Fed is compromised. As more CDM and EINSTEIN tools that look retrospectively in logs and networks get deployed, there will likely be more disclosures of breaches.”
Ghosh said, “The commercial sector is brimming with advanced threat protection technology now. Invincea, for instance, is the first firm to achieve certification by the National Information Assurance Partnership (NIAP) Common Criteria for IT Security Evaluation for an endpoint security solution in the Advanced Threat Protection space. This solution can detect and block advanced threats, including 0-day exploits against firms. The Forbes.com attack is an example of where Invincea’s technology detected and blocked chained 0-day exploits against US Defense firms.”
“This latest report of a massive data breach at the Office of Personnel Management is deeply troubling,” said Sen. Tom Carper (D-Del.) ranking member and former chairman of the Senate Committee on Homeland Security and Governmental Affairs.
“Whether it is OPM or the Internal Revenue Service,” he stated, “all Americans deserve the peace of mind that the personal information they provide to the federal government is safe and secure from cyber theft. While the unauthorized release of any personal information is a cause for concern, I am encouraged by the reports that the Department of Homeland Security’s EINSTEIN cybersecurity system played a key role in uncovering this serious cyber attack. OPM must do all that it can to improve its cybersecurity and help any potential victims of this data breach as quickly as possible.”
Carper noted that, “These types of attacks are growing at an alarming rate and continue to victimize and frustrate more and more of us. While our defenses are getting stronger, the attackers are getting more sophisticated. All agencies need to step up their efforts and improve their cybersecurity measures. This effort, however, must be a shared responsibility. Those of us here in Congress have an obligation to ensure that agencies have the funding, the tools, and the authority they need to adequately protect their systems from attack.”
Friday, in response to the administration’s decision to deploy the latest EINSTEIN cybersecurity system across all federal agencies by the end of the year, Carper said, “Just yesterday, we learned about a massive cyber attack on our federal networks, which has the potential to affect millions of past and current federal workers. As more details about this cyber attack come out, one thing is clear: Congress, the administration, law enforcement, industry partners and other stakeholders must work together to stay a step ahead of the evolving cyber threat and do all we can to secure our most sensitive information. The administration made the right decision today in expediting the installation of DHS’s latest generation of the EINSTEIN cybersecurity monitoring and prevention system."
"As I like to say," Carper added, "we should find out what works and do more of that. Given that the EINSTEIN system played a key role in uncovering thisrecent serious cyber attack on the Office of Personnel Management, we need to make sure federal agencies have this system in place as soon as possible.”
“I commend the administration’s steadfast attention and actions on this pressing issue. That being said, cybersecurity is a shared responsibility,” Carper continued. “I look forward to working with my colleagues to follow up on the administration’s actions and ensure that this critical cybersecurity system is properly implemented across the federal government.”
