The Great 2014 Chinese Hack of The United States

Government’sPersonnel Office

Last Updated 2.4.16By Dr. Tim Dosemagen

Dr. Tim Dosemagen USAF Cryptologic Analyst during Carter and Reagan Administrations 3 years intelligence collection in South Korea; visited North Korea;

conversational in spoken and written Korean Temporary duty in Okinawa, Hawaii 2 years instruction in Chinese at Defense Language Institute,

Monterey, CA; fluent in spoken and written Chinese Worked at National Security Agency’s Ft. Meade Facility during

Reagan Administration

East Asian Expertise 5 years living and working in East Asia (China, Taiwan, Japan,

Korea) 13 visits to Taiwan 3 visits to People’s Republic of China, introduced Dr. Peter F.

Drucker EMBA in Beijing Lectured in Shanghai on the ramifications of attacks of 9.11.01 Instructed MBA to USAF pilots at Misawa AFB, Aomori, Japan USAF Commendation & Achievement Medals Joint Service Achievement Medal

The Evolving U.S. – China RelationshipFrom Big & Little Brothers to Equals

Mutual Dependence & Shifting Powers Chinese ownership of US Debt US investment in Chinese businesses and

development Chinese – US military exchanges US brain drain of Chinese citizens Chinese theft of US intellectual property Most Favored Nation Status

Balancing Alliances With Russia / USA A long, common border Treaty of Nerchinsk Treat of Amur War in the 1960s Great Gas Deal of 2015 Fought US to a draw in the early 1950s Korean War Fought US to a defeat in the 1960s/70s Vietnam

War

PLA Unit 61398 Military Unit Cover Designator 61398, People’s

Liberation Army Advanced Persistent Threat Unit Source of Chinese Computing Hacks Datong Road, Pudong, Shanghai, PRC facility Staffed by 4,000 Agents Created in 2001

Nabbing PLA Unit 61398 The infiltration was discovered using the United

States Computer Emergency Readiness Team’s (USCERT’s) EINSTEIN Intrusion Detection Program, and it predated the EINSTEIN deployment, which began in March, 2014.

The infiltration may have also been discovered by a product demonstration of CyFIR, a commercial forensic product from Manassas, Virginia security company CyTech Services.

PLA Unit 61398 Operates under the 2nd Bureau of the PLA General

Staff Department’s Third Department. APT1 – attacks a broad range of corporations and

government entities around the world, since at least 2006.

PLA Unit 61398 Andy Ozment – US DHS Security official:

– “The attackers had gained valid user credentials to the systems they were attacking, likely through social engineering.”

Ars Technica:– “At least one worker with root access to every row in every database was

physically located in China; another contractor had two employees with Chinese passports.”

PLA Unit 61398 Indicted by US Federal Grand Jury - 5.19.14, on

charges of theft of information and intellectual property from US commercial firms, and planting malware in their computers. One of 20 such groups in the PRC.

Comprised of four large networks in Shanghai, 2 of which serve the Pudong Area. The 3rd and 4th Departments are responsible for Electronic Warfare.

Also known as Byzantine Candor. Also known as The Comment Group.

PLA Unit 61398 The group compromises internal software comment

features on legitimate web pages to infiltrate target computers that access the sites, leading it to be called The Comment Group.

The collective has stolen trade secrets and other confidential information from numerous foreign businesses and organizations since 2006, including Lockheed Martin, Telvent, and other companies in the sectors of Software, Arms, Energy, Finance, Electronics, Engineering, Aeronautics and Manufacturing.

The group was behind the infamous Operation Shady Rat in 2011, which saw over 70 organizations targeted - including US, Canadian, Taiwanese, Vietnamese and United Nations entities.

PLA Unit 61398 Five Chinese indicted by DOJ on 5.19.14:

– Huang Zhenyu– Wen Xinyu– Sun Kailiang– Gu Chunhui– Wang Dong

All five operated out of the 12 story Datong Road, Pudong, Shanghai facility.

The Great PRC-OPM Hack of 2015

BBC – 6.5.15 “The US says it faces a ‘dedicated adversary’ and

an ‘ever evolving threat’ to the nation’s cyber security, after a major data breach.”

“The hacking of Federal Government OPM computers compromised the records of four million current and former employees.”

“The employees are being told to take precautions, including close monitoring of bank accounts, credit reports, and changing online passwords.”

BBC – 6.5.15 “We’re worried about identity theft,” said Bryan

Sivak, a former technology officer with the Department of HHS, “but depending on what information was accessed, I’m more worried about this information being used to illegally access various networks or against individuals directly.”

Every SF-86 Application For A Security Clearance form was compromised – extremely sensitive data.

BBC – 6.5.15 Steve Hodge, former FDA employee: “If anyone

had possession of this information, they could impersonate me.”

OPM said it became aware of data breach in April, 2015 during an “aggressive effort” to update its Cyber Security Systems.

OPM serves as the HR Department for the U.S. Federal Government, issuing Security Clearances and compiling records of all government employees.

Stolen Security Clearance Apps: 1986-2015

OPM Warned Repeatedly The OPM had been warned multiple times of

security vulnerabilities and failings. A March, 2015, the OPM Office of the Inspector General semi-annual report to Congress warned of “persistent deficiencies in OPM’s information system security program,” including “incomplete security authorization packages, weaknesses in testing of information security controls, and inaccurate plans of action and milestones”.

BBC – 6.5.15 What was stolen?

– Sensitive data on former and current employees– Security Clearances and background checks dating back to 1985.– Social Security Numbers– Performance Reviews and Testing– Birthdays, Addresses, Bank Information and other highly

sensitive personal data Some of the sensitive personal information could be used

to access critical weapons systems.

The 21st Century’s Competing ‘Partners’

PRC Foreign Ministry Spokesperson Hua Chunying’s Press Conference of 7.10.15

Recently there are allegations from Washington that Chinese hackers are responsible for security hackings into the US Office of Personnel Management.

What is China’s comment?

PRC Foreign Ministry Spokesperson Hua Chunying’s Press Conference of 7.10.15

“We have stated the Chinese Government’s principle and position on the issue of cyber security many times. All parties should adopt a constructive attitude on the issue.

PRC Foreign Ministry Spokesperson Hua Chunying’s Press Conference of 7.10.15

“It is imperative to stop groundless accusations, step up consultations to formulate an international code of conduct in cyberspace and jointly safeguard peace, security, openness and cooperation of the cyber space through enhanced dialogue and cooperation in the spirit of mutual respect.”

Translation: You guys do the same thing to us – welcome to the 21st Century.

What The Chinese Got

7% of America’s Personal Information Business Insider: 7.9.15 – “More than 20 million

people had their personal information stolen when OPM servers were breached by Chinese hackers last year, sources close to the agency are reporting.

NYT & Government: 21.5 million CNN: 22.1 million ABC & Reuters: 25 million FBI Director James Comey: 18 million

What The Chinese Got

SF-86s “US Intelligence and Law Enforcement officials are

particularly concerned over the theft of forms known as SF-86s that current and prospective federal workers, including certain military personnel, and even contractors submit for Security Clearances.”

“Experts fear the stolen information could be used by the Chinese Government to blackmail, exploit, or recruit US Intelligence Officers, compromising the success and safety of agents operating at home and abroad.”

What The Chinese Got

Worst Breach of Personally Identifying Information Ever

FBI Director James Comey to a Senate Panel: – “I’m sure the adversary has my SF-86 now.”– “My SF-86 lists every place I’ve ever lived since I was

18. Every foreign travel I’ve ever taken. All of my family (and) their addresses.”

What The Chinese Got

Worst Breach of Personally Identifying Information Ever

Tinfoil Security CEO Michael Borohovski: – “The hackers stole SF-86s, which is one of the most

extensive national security questionnaires that exists.”– “Security-wise, this may be the worst breach of

personally identifying information ever.” Hackers who infiltrated OPM had access to the

agency’s security clearance system for over a year, giving them ample time to steal as much information as possible from OPM’s database of military and intelligence officials.

What The Chinese Got

Worst Breach of Personally Identifying Information Ever

Michael Adams – Special Operations Command computer security expert:– “The spies who took the information will know who the

best targets for espionage are in the United States…”– “The theft includes the results of polygraph tests…

which is really bad, because the goal of government administered polygraph tests is to uncover any blackmailable information about it employees before it can be used against them…so its really a goldmine of blackmail for intruders.”

Conclusions Security experts agree that the biggest problem

with the breach was not the failure to prevent remote break-ins, but the absence of mechanisms to detect outside intrusion and the lack of proper encryption of sensitive data.

OPM CIO Donna Seymour pointed to the agency’s aging systems as the primary obstacle to putting such protections in place, despite having encryption tools available.

Questions and Closing Comments