Missed opportunities detailed ahead ofpersonnel agency hack7 September 2016, by Eric Tucker

The U.S. Office of Personnel Management isphotographed Tuesday, Sept. 6, 2016, in Washington. Itwas time to purge the hacker from the U.S.government's computers. After secretly monitoring thehacker's online movements for months, officials worriedhe was getting too close to critical information anddevised a plan to expel him. Trouble was, with all theirattention focused in that case, they missed the otherhacker entirely. A new congressional report providespreviously undisclosed details and a behind-the-sceneschronology of one of the worst-ever cyberattacks on theUnited States, laying out missed opportunities before thebreak-in at the OPM exposed security clearances,background checks and fingerprint records. (APPhoto/Jacquelyn Martin)

It was time to purge the hacker from the U.S.government's computers.

After secretly monitoring the hacker's onlinemovements for months, officials worried he wasgetting too close to critical information, so theydevised a plan, called the "Big Bang," to expel him.

Trouble was, with all their attention focused in thatcase, they missed the other hacker entirely.

A congressional report provides previously

undisclosed details and a behind-the-sceneschronology of one of the worst-ever cyberattackson the United States. It lays out missedopportunities before the break-in at the Office ofPersonnel Management exposed securityclearances, background checks and fingerprintrecords. That intrusion—widely blamed on China'sgovernment—compromised personal information ofmore than 21 million current, former andprospective federal employees; led to theresignation of the OPM director; and drew outrageover changing explanations about its severity.

The report by the House Committee on Oversightand Government Reform faulted the personnelagency for failing to secure sensitive data despitewarnings for years that it was vulnerable tohackers. The report concluded that the hackingrevealed last year could have been prevented if theagency had put in place basic, required securitycontrols and recognized from an earlier break-inthat it was actually dealing with a sophisticated,persistent enemy.

"We had literally tens of millions of Americanswhose data was stolen by a nefarious overseasactor, but it was entirely preventable," Rep. JasonChaffetz, the committee chairman, said in aninterview.

"With some basic hygiene, some good tools, anawareness and some talent, they really could haveprevented this," said Chaffetz, R-Utah.

The agency's acting director, Beth Cobert, said in astatement that OPM disagrees with much of thereport, which she said "does not fully reflect wherethis agency stands today." She said the hack"provided a catalyst for accelerated change withinour organization," including hiring newcybersecurity experts and strengthening itssecurity.

The committee's top Democrat, Rep. Elijah

1 / 3

Cummings of Maryland, said he could not supportthe report because of "several key deficiencies." Hesaid some of the criticism was unfair and that thereport failed to properly address the role ofcontractors in cybersecurity.

The government discovered the first hacking inMarch 2014. A Homeland Security Departmentteam noticed suspicious streams of data leaving itsnetwork between 10 p.m. and 10 a.m.—the onlineequivalent of moving trucks hauling away filingcabinets containing confidential papers in themiddle of the night. The government's Einsteinintrusion warning system detected the theft.

"DHS called us and let us know, 'Hey, we think thisis bad,'" Jeff Wagner, OPM's director of informationsecurity operations, told officials investigating thehack, according to the report.

For the next few months, the personnel officeworked with the FBI, National Security Agency andothers to monitor the hacker to better understandhis movements. Officials developed a plan to expelthe hacker in May 2014. That effort includedresetting administrative accounts, building newaccounts for users who had been compromisedand taking offline compromised systems.

"The risk of kicking them out too early had comeand gone," Wagner said, "and now the risk wasbecoming having them in too long, and we didn'twant to keep them around any longer than we hadto."

The problem was far from solved.

Unknown to the experts, a second intruder posingas an employee of a federal contractor hadinfiltrated the system weeks before the "Big Bang"and created an undetected foothold. That hackerused a contractor's credentials to log into thesystem, install malicious software and create abackdoor to the network.

Over the next several months, the hacker movedunchecked through the system and stole sensitivesecurity clearance background investigation files,personnel files and, ultimately, fingerprint data.

That breach went undetected until April 2015, whenan OPM contract employee traced the flow ofstolen material back to an internet address that hadbeen registered to Steve Rogers, the alter ego ofCaptain America, indicating a spoof account. Bythen, sensitive information on millions of Americanworkers had been compromised.

The report also faulted the personnel office forfailing to quickly deploy security tools from anoutside firm to detect malicious code and otherthreats. Once used, the tool from Cylance Inc. ofIrvine, California, "lit up like a Christmas tree,"indicating it found malware throughout the federalcomputers, a Cylance official is quoted as saying inthe report.

"Could they have done better? Absolutely," Cylancefounder and chief executive Stuart McClure, said inan interview. "But once they had been definitivelyconvinced there was a breach, they took it veryseriously."

The congressional report said OPM officials misledthe public about the scope of the breach and alsoby saying the two breaches were unrelated when,instead, "they appear to be connected and possiblycoordinated."

"The two attackers shared the same target,conducted their attacks in a similarly sophisticatedmanner, and struck with similar timing," the reportsaid.

Though the U.S. suspects the hack was an act ofChinese espionage, the House inquiry did not gointo great detail about who was responsible. Itmentions that the data breaches discovered in April2015 were likely perpetrated by the group "DeepPanda," which has been linked to the Chinesemilitary.

© 2016 The Associated Press. All rights reserved.

2 / 3

APA citation: Missed opportunities detailed ahead of personnel agency hack (2016, September 7)retrieved 31 July 2018 from https://phys.org/news/2016-09-opportunities-opm-cyber-breach.html

This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, nopart may be reproduced without the written permission. The content is provided for information purposes only.

Powered by TCPDF (www.tcpdf.org)

3 / 3