Chinese Military Linked to Hack of Data on 4 Million Government Workers

Obama passive cyber policies faulted

June 5, 2015

U.S. intelligence agencies have determined with moderate confidence that the hacking of information related to 4 million current and former government workers was carried out by the Chinese military in what security officials says was likely a state-sponsored cyber attack.

"It is fair to say this is a Chinese PLA cyber attack," said one official familiar with intelligence reports of the hacking.

The assessment that the People’s Liberation Army was behind the hacking is based on a forensic analysis of the software used in the attack and other technical indicators, officials said.

The records compromised on the 4 million people were discovered in April by the Office of Personnel Management, the government’s clearinghouse for data on current and former workers, including more than 700,000 who hold security clearances.

Few details of the hacking were disclosed by OPM in an announcement Thursday. However, the agency said it is restricting "remote access for network administrators and restricting network administration functions remotely," an indication that the hackers were able to break into the network and gain broad, administrator-level access.

DHS spokesman S.Y. Lee declined to comment on the Chinese military link to the hacking.

"DHS is continuing to monitor federal networks for any suspicious activity and is working aggressively with the affected agencies to conduct investigative analysis to assess the extent of this alleged intrusion," Lee said in a statement.

The malicious software used in the attack has been dissected and its signatures are being used to prevent further intrusions, a DHS official said.

OPM is also reviewing all remote network connections to ensure "that only legitimate business connections have access to the internet," the personnel agency said in a statement. The office is also using anti-malware software on all networks "to protect and prevent the deployment or execution of tools that could compromise the network."

Similar major data breaches in the past have involved the use of false emails to lure computer administrators and others with access into loading malicious software into networks. The malware is then used to learn passwords and other access data to download large amounts of data from the networks. The information is then downloaded to remote servers.

The stolen data involves "personally identifiable information," the OPM said, including Social Security numbers of federal workers. Other PII data includes dates of birth, medical, educational, financial, employment, and family members’ information.

Such information can be useful for criminals engaged in identity theft, credit card fraud, and other criminal activities.

However, security officials said the stolen OPM information would be a boon for China’s foreign intelligence services, which include the Ministry of State Security, the Second Department of the PLA General Staff, the military’s spy service known as 2PLA, and the Third Department, the signals intelligence unit known as 3PLA that is believed to be in charge of cyber warfare and cyber espionage.

Chinese military hacking is among the most secret parts of Beijing’s large-scale high-technology military buildup.

The data will likely be used by the Chinese for traditional intelligence operations, such as recruitment of spies and economic espionage, as well as for cyber reconnaissance—preparing enemy computer networks for cyber attacks and sabotage in future conflicts.

Cyber security analysts say the personal data will be exploited to identify key government personnel who have access to classified or sensitive information. Once identified, those people can be targeted in hacking schemes to gain information that could be used in either direct cyber attacks or for social engineering ploys—the use of personal interactions to obtain information useful in gaining secret access to computer networks.

"The spying business is all about people—who they are, who they know, what they do, what they touch, the mistakes they’ve made in their personal lives," said Michelle Van Cleave, former national counterintelligence executive, a senior counterintelligence policymaker.

"And that’s exactly the kind of information you find in the personnel files at OPM," she said. "A foreign intelligence service can use that data for spotting and assessing possible sources in the U.S. government, or for gaming the system to train, recruit and implant their own spies."

Additionally, the hackers could use their access to OPM networks to change or corrupt data or to implant false information, raising new fears of the integrity of the government’s entire personnel file system, Van Cleave said.

"The scope of this breach is so staggering, you have to ask what the analysis of these personnel records may reveal about other things, such as sensitive government operations around the world," she said. "Where people have been posted or traveled, on what dates, their expense reports, contact reports, support requests, may be just the yellow brick road an adversary is looking for."

OPM sought to defend the breach in a statement saying the hacking was discovered as a result of tighter cyber security measures initiated by the agency.

"As a result, in April 2015, OPM detected a cyber intrusion affecting its information technology (IT) systems and data," the agency said. "The intrusion predated the adoption of the tougher security controls."

The OPM cyber attack is the latest in a string of security failures under the Obama administration. Others include the compromise of some 250,000 classified documents to Wikileaks by Army Sgt. Bradley Manning, and the theft of thousands of top-secret National Security Agency documents by NSA contractor Edward Snowden.

Cyber attacks linked to China have been numerous in recent years. They have included major intrusions and data theft from government, military, and defense contractor networks.

NSA documents made public earlier this year revealed that Chinese cyber attacks gained more than 50 terabytes of data—a huge amount—from U.S. defense and government networks. The lost information included details of the F-35 Joint Strike Fighter’s stealth radar and engine secrets.

The Chinese also hacked the U.S. Transportation Command’s Single Mobility System that is used to plan troop and equipment deployments by aircraft, ship, road, and rail during military operations. Compromising that network could be used to disrupt key logistics and force movements in wartime.

The NSA estimated in a briefing slide published by Der Spiegel that Chinese hackers had carried out more than 30,000 cyber attacks as part of a massive defense industrial espionage program, and that more than 500 attacks involved "significant intrusions in DoD systems."

Some 1,600 network computers have been penetrated by the Chinese and at least 600,000 user accounts were compromised, the NSA said, adding that damage was estimated to cost more than $100 million, mainly for rebuilding information systems.

Despite years of damaging Chinese cyber attacks, the Obama administration has taken a passive approach to the problem. Critics say the softline approach has encouraged further cyber strikes.

White House cyber security official Michael Daniel said in a speech last year that offensive and retaliatory cyber attacks would be limited by the administration in favor of using "network defense and law enforcement" methods.

Sen. James Inhofe (R., Okla.), a senior member of the Senate Armed Services Committee, criticized the administration for not doing more to secure U.S. networks.

Last year, Inhofe said the committee uncovered China’s hacking of Pentagon networks and gaining access to the movement of military goods.

"We took action as a committee, but the administration has done nothing," Inhofe said.

"Now we have federal employees getting countless files stolen," he said. "The failure by this administration in developing a cyber deterrence policy, acknowledging cyber attacks against America, and penalizing cyber attacks by foreign countries, have left our country, our people and our businesses more vulnerable."

Inhofe said the president needs to take stronger action or "our nation will continue to be confronted with cyber aggression by countries like China, Russia, North Korean, and Iran, placing our nation’s cyber infrastructure at greater risk."

In the House, Rep. Mike Pompeo, (R., Kan.), a member of the House Permanent Select Committee on Intelligence, said: "I think it’s fair to say this administration continues to reach out its hand to China and have that hand rejected in ways that are posing enormous risks to the American security."

If the early indications of a Chinese role are confirmed, "this will be one more indication of a hostile, increasingly-aggressive Chinese government that has every intention of expanding its power around the world—as long as it meets no resistance from America," Pompeo said.

Senate Armed Services Committee Chairman John McCain (R., Ariz.) said the data breach reveals the weakness of current U.S. cyber security strategy. "We cannot sit idly by, accepting a situation in which persistent cyber attacks and data insecurity are the new norm," McCain said. "Our top priority must be finding ways to deter our enemies from attacking in the first place and ending the ability of hackers to infiltrate, steal, and disrupt with impunity."

White House National Security Council spokesman Ned Price declined to comment. He referred questions to OPM.

OPM spokesman Samuel Shumach said: "OPM does not assign attribution to cyber crimes."

Last year, the Justice Department indicted five PLA hackers for cyber attacks on key private sector networks, including those of Westinghouse Electric, a major nuclear power supplier, U.S. Steel, Alcoa and several other entities.

However, as the OPM hack reveals, the indictments have not lessened aggressive Chinese cyber attacks.

U.S. and Chinese officials will meet later this month as part of the Strategic and Economic Dialogue when cyber security is expected to be a topic discussion. China, however, cut off formal cyber security talks after the May 1, 2014, indictment of the five PLA hackers.

In March, the commander of the U.S. Cyber Command, Adm. Mike Rogers, appeared to disagree with the passive White House approach to cyber attacks.

Rogers told the Senate Armed Services Committee that the U.S. government is at a "tipping point" on whether to continue the defensive strategy or to broaden the approach by using offensive counterstrikes in cyber space as part of a plans to deter further attacks. "We also need to think about how can we increase our capacity on the offensive side here, to get to that point of deterrence," Rogers said.

The FBI and the Department of Homeland Security are investigating the OPM hacking.

OPM said it will begin notifying government employees beginning Monday about the data compromise.

Federal workers are being urged to monitor bank accounts and credit cards. OPM is also offering credit monitoring services as well.

"Protecting our federal employee data from malicious cyber incidents is of the highest priority at OPM," OPM Director Katherine Archuleta said in a statement.

The office also warned federal works to be suspicious of unsolicited phone calls, visits, or email messages from anyone asking about employees or internal information.

Also, employees were told to avoid sending sensitive information over the Internet and to avoid "malicious websites" that may appear legitimate.