Twenty-four hours after unnamed White House officials said the Office of Personnel Management (OPM) data breach was linked to China, one security company has connected the intrusion to the massive break-ins earlier this year at insurance companies Anthem and Premera Blue Cross, while a D.C. think tank this morning tweeted that the hackers made off with security clearance data going back to 1982.
The OPM not only handles employee record on government workers, but is also the agency that handles security clearance applications. If that data has indeed been exfiltrated from the OPM network, the identities and personal information belonging to covert operators and others linked to top secret government work has been exposed.
OPM hack: I'm told the Chinese got every security clearance since 1982 (not in WP story). A gold mine for assembling a picture of US intel.
— CSIS Cyber Feed (@CyberCSIS) June 5, 2015
Initially, it was believed the breach was limited to personnel databases that included Social Security numbers and other personally identifiable information. While still valuable to intelligence efforts, that type of data pales alongside the clearance application data.
“This is not generally what we see in these types of breaches,” said John Hultquist of iSight Partners, which connected the OPM hack to the Anthem breach, an attack that has been blamed on the Deep Panda group identified by security company Crowdstrike. “They’re usually after more refined data: policy documents; plans; blueprints. There are a ton of really valuable assets here for follow-on activity. OPM is part of that clearance process. With this data, they’re able to identify things that could be used against you by a foreign adversary.”
Hultquist said iSight was able to spot similar patterns of behavior between the insurance hacks and the OPM breach, including a habit of naming their targets inside the command and control infrastructure. With the Anthem breach, domains called We11point that may have been used to phish the insurance companies in order to kick off the attack. Hultquist said iSight found domains similarly named for the OPM.
“The major difference between criminal and espionage campaigns is that criminals are all about monetizing commodity data where espionage actors are after esoteric information; diplomatic or political documents, intelligence, intellectual property,” Hultquist said. “Stuff that will give them a competitive advantage.
“This isn’t that type of information. They can use this information as a stepping stone to further activity. It’s a trove of data for targeting certain people and carrying out secondary attacks. It looks like they’re building a toolset for espionage.”
The government is expecting to notify as many as four million people affected by the OPM break-in, the second hack against the agency in little more than a year. A report yesterday in the Washington Post cited officials who said the hackers targeted an OPM database inside the Interior Department and that security clearance information and information on background checks was not part of the affected data. The Post also said the attackers used a zero-day during the hack, but did not say what technology was targeted or vulnerable.
A March 2014 hack targeted clearance data as well. Information in those files includes personal and financial data on individuals and families. China was blamed for that break-in as well. OPM said it invested in ramping up its detection capabilities, yet admitted it lagged five months in discovering the most recent break-in, which they believe started in December but was only discovered in April.
A report from the New York Times said the hack happened before all of OPM’s new detection capabilities were fully in place, and that in fact, DHS’s longstanding Einstein signature-based detection system alerted OPM to the breach, an OPM spokesperson was quoted as saying by the Times.