OPM Hack Part of Large-Scale Cyber Attack On Personal Data

DHS report reveals nine large cyber strikes

July 16, 2015

Nine major cyber attacks targeting the personal data of millions of Americans were carried out against federal and private computer networks in the past year, according to an internal report by the Department of Homeland Security.

The July 2 report by the department’s National Cybersecurity and Communications Integration Center stated that two of the incidents involved "millions" and "hundreds of thousands" of stolen personal records respectively in what appears to be a coordinated campaign of bulk personal data theft.

A U.S. defense contractor was also hit by the data breaches.

The report did not identify the hackers behind the attacks, but stated that they were conducted by sophisticated attackers.

The report indicates that the Chinese-origin cyber attacks against Office of Personnel Management networks is part of a larger-scale operation targeting the personal data for intelligence or military purposes.

James Clapper, the director of national intelligence, has said China is the leading suspect behind the OPM attacks. Beijing has denied responsibility for the OPM network breaches that President Obama has called a cyber attack.

A total of 22.1 million people, mainly federal workers, had their personal data stolen by the hackers. The information stolen includes sensitive data such as Social Security numbers, fingerprints, passwords, and information used in conducting background screening for security clearances.

The DHS report, "Large-scale PII Breach Incidents," was based on reporting by the U.S. Computer Emergency Readiness Team, or U.S.-CERT, a unit that responds to cyber attacks. The report provided technical details of the year-long campaign of cyber thefts against what it calls "personally identifiable information" or PII.

"US-CERT is aware of approximately nine major security incidents in which PII was stolen from private sector companies, U.S. government agencies, and a cleared defense contractor," the report said.

"The cyber threat actors involved in each of these incidents demonstrated a well-planned campaign and high level of sophistication."

DHS and FBI cyber security spokesmen declined to comment. A White House spokesman referred questions to the OPM press release made public earlier this month.

The OPM recently revised the number of people whose records were compromised from 4.2 million to around 22.1 million in what is being called the worst cyber attack in U.S. history.

The DHS report said between July 2014 and June 2015 both U.S. government and private sector networks suffered "the theft of large amounts of Personally Identifiable Information (PII)."

The nine "bulk PII" attacks were largely the result of failures to follow basic cyber security practices.

James Lewis, a cyber security expert with the Center for Strategic and International Studies, said that China will benefit greatly from the cyber theft.

"It’s a gold mine for Chinese intelligence," Lewis said. "This information lets them get into the Americans’ skin, see how they think and where they might make a mistake."

Additionally, the big data theft will help China gain "insight into who we are that is as important as the possibilities for better recruitment or phishing emails," he said.

"It will take time for the Chinese to absorb this data and figure out how to use it, but it will ultimately give them a real advantage," Lewis said.

The Obama administration has remained largely silent on the cyber attacks, apparently fearful that taking retaliatory action would upset the Chinese.

The agencies of government and companies that were targeted in the cyber attacks were not specified in the DHS report. The identity of the hackers also was not identified, though technical indicators reveal links to China and Russia.

Some of the attackers were linked to several of the incidents, the report said.

In two of the incidents, DHS identified the "breach of millions of records containing PII data" and a second involving the loss of "hundreds of thousands" of records.

The millions of compromised records likely refers to the hack of 80 million customers of the health care provider Anthem that was discovered in February.

Many of the attacks outlined in the report involved the downloading of malicious software through "phishing" emails. Among the file names for the malware were "UK NATIONAL LOTTERY AWARD-phish-20140831.pdf," "AdobeARM.log," and "Security Center Update - 3741409451.job"

Domain names used in attacks included "," "," and "" The cn domain is used in China and ru is for Russia.

According to the report, the hackers behind the PII strikes are exploiting common vulnerabilities in general user accounts, not computer administrator accounts.

"Threat actors can conduct business on the network as an authorized user," the report says, noting that doing so "undermines discussion and debate around whether to encrypt data because it doesn’t matter."

The hackers then set up authorized user accounts to read, write, and share encrypted data.

"These cyber incidents have continued to emphasize the importance of network segmentation," the report said. "When an organization’s network is not segmented from others, this could mean hundreds of sub-networks affected versus one."

An FBI alert contained in an appendix to the report states that the hackers have stolen sensitive business information in addition to personal data.

"Information obtained from victims indicates that PII was a priority target," the FBI said, adding that the personal data "has been used in other instances to target or otherwise facilitate various malicious activities such as financial fraud though the FBI is not aware of such activity by these groups."

"Groups responsible for these activities have been observed across a variety of intrusions leveraging a diverse selection of tools and techniques to attempt to gain initial access to a victim including using credentials acquired during previous intrusions," the FBI said.

One technique to gain access, "DNS hijacking," is carried out by compromising domain name registrars—groups that manage Internet domain names.

The attackers then use customized Remote Access Tools, or RATs. The FBI identified four RATs used in recent cyber attacks, including Sakula, which has been used in the past by groups linked to the Chinese military.

Sakula "has the capabilities to launch remote command shells, enumerate processes, download files, and beacon to Command and Control (C2) domains," the FBI said.

Sakula is a sophisticated network penetration tool capable of connecting to multiple access points on a target network remotely.

The other tools are the FF RAT, which downloads malicious files to a computer’s memory, and Trojan.IsSpace, which uses multiple files to connect to networks covertly.

A fourth tool, Trojan.BLT, uses sophisticated software to test a network’s connectivity by establishing a connection with a legitimate website and using that website for attacks.

The report said that 80 percent to 85 percent of all cyber attacks could be prevented by using standard cyber security practices. The measures include making use of a process to prevent malicious software and unapproved program from being run, patching and updating security flaws in software, fixing operating system vulnerabilities, restricting administrator privileges, and separating networks into security zones to protect sensitive information.

Air Force Gen. Paul Selva, nominee for vice chairman of the Joint Chiefs of Staff, said in a Senate hearing on Tuesday that the military is working to develop better cyber defenses to protect command and control networks.

"We have put our forces essentially on the offense, looking for people that are intruding into the network," Selva said, mentioning that the work was being done in coordination with law enforcement and intelligence agencies.

"And then we have the capacity to turn those intrusions over to Cyber Command for cyber mission team to begin defensive, and potentially offensive, action if required."

Retired Maj. Brett Williams, now with IronNet Cybersecurity, said the large-scale data hacking is intelligence-related.

"I think it is pure espionage because there's been no evidence so far that any of this information has shown up in the black market that you see on the Internet," Williams told NBC’s Meet the Press.

"And now they'll go back and they'll cull through those records and, like any other intelligence agency, they'll figure out how to use that information in order to further their own objectives."

Richard Clarke, a former White House National Security Council staff official, said the massive data theft poses a serious threat.

The stolen data includes dates of birth; Social Security numbers; and information related to foreign contacts, foreign travel, and medical, addiction, and psychological problems.

"They can use this information to blackmail people. They can use it to steal identities," Clarke said on ABC’s This Week.

Clarke said he does not blame the Chinese but faulted the Obama administration for what he said was "almost criminal negligence."

"We need to take the job of cyber security away from 50 or 60 small government agencies like OPM that clearly can't handle it and create one authority in the federal government that has the mandate and the money to secure cyber space," he said.

Published under: China , Cyber Security