Fallout Over OPM Breach Report Begins

A report on the U.S. Office of Personnel Management breaches that exposed sensitive data belonging to more than 22 million people has sparked a cavalcade of finger pointing, politicking and squabbling over who knew what first.

Wednesday’s bombshell report on the U.S. Office of Personnel Management breaches that exposed sensitive data belonging to more than 22 million people has sparked a cavalcade of finger pointing, politicking and squabbling over who knew what first.

The scathing report by Republicans on the U.S. House of Representatives’ Committee on Oversight and Government Reform blasted the Office of Personnel Management (OPM) saying two massive breaches that occurred in 2014 and 2015 were the result of outdated government technology and sloppy cybersecurity.

The 241-page analysis of the breaches blames the OPM for endangering America’s national security. In the report, the oversight committee said the OPM should have known better considering it had been “warned since at least 2005 that the information maintained by OPM was vulnerable to hackers.”

According to the report, the attacks were conducted by two China-based hacking groups that go by the names “Axiom Group” and “Deep Panda” that have ties to the Chinese government. Attackers pulled off the attack by exfiltrating data using OPM-related domain names such as opmsecurity.org and opmlearning.org registered to spoofed registry accounts under the name of Marvel superheroes Tony Stark and others.

But the analysis of the OPM breach is under scrutiny by Rep. Elijah Cummings (D-Md.) who said the official report was riddled with errors. Cummings, the ranking minority member of the House Oversight Committee, said the OPM report contained factual inaccuracies. In an interview with Reuters, he said the report’s authors didn’t factor in errors made by OPM contractors. Cummings’ Washington D.C. office did not return requests for comment for this story.

Two of federal contractors figuring prominently into the report are Cylance and CyTech Services. These two firms are caught in the middle of a who-did-what-first battle between Cummings and Republicans on the oversight committee. At stake is a perception that the OPM had its head in the sand unaware it was under attack versus the perception the OPM is an agency that adeptly identified a threat and acted fast to fix it, said James Scott, senior fellow with the Institute for Critical Infrastructure Technology.

“People want to establish how the breach was discovered and who discovered it so they can help prevent a similar attack from happening again,” Scott said. He said that between the Democratic minority and Republican majority oversight committee members, there are a lot of efforts to point blame and to save face.

According to a letter by Cummings (PDF), on April 15 or 16, 2015 an OPM staff member identified an unknown Secure Sockets Layer certificate on the OPM network that was being used to communicate with the known malicious domain opmsecruity[.]org. Malware masquerading as a DLL file was beaconing out to a command and control server. On April 17, the OPM called in Cylance to conduct forensics on the DLL, map the binary and begin remediation efforts.

According to the official OPM report, the timeline on the discovery was different. The oversight committee maintains OPM had Cylance tools at their disposal starting June 2014, but didn’t deploy the technology until April 2015, after its systems were under attack. The OPM report credits CyTech Services for breach detection and remediation efforts that it says began on April 21 and concluded May 1, 2015. The OPM report states the breach was an undisclosed until an “OPM contractor” first identified the suspicious SSL activity on April 15.

“Claims that CyTech was responsible for first detecting the OPM data breaches are inaccurate,” Cummings said.

Neither CyTech or Cylance make a claim to have discovered the breaches.

Another wrinkle has emerged in the relationship between CyTech Services and the OPM. According to CyTech, OPM first used its CyFIR tool as part of a product demonstration and that OPM never paid for a license to use it. This was confirmed by a report from Ars Technica where Samuel Schumach, press secretary for OPM, told the publication: “OPM has never received a request for payment from CyTech for services rendered or licenses provided during the product demonstration they conducted during the 2015 breach response.  If and when OPM receives any such request, OPM will pay any appropriate amounts owed and required by law.”

The OPM’s reaction to the U.S. House oversight report has been a mix of rebuttal and eating humble pie. Acting Director of the Office of Personnel Management Beth Cobert said in a blog post Wednesday: “While we disagree with many aspects of the report, we welcome the committee’s recognition of OPM’s swift response to the cybersecurity intrusions and its acknowledgement of our progress in strengthening our cybersecurity policies, and processes.

Cobert pointed out the her agency has acted fast to harden OPM’s cyber defenses. Over the past few months OPM has hired a new Chief Information Officer as well as filled a number of new senior IT positions. It also now requires “strong” multi-factor identification for logging onto OPM’s system and has put in place a number of new cyber defense systems.

Suggested articles