In what is believed to be the largest breach ever of US government computer networks, personal information for 4 million current and former federal employees has been compromised.
Officials suspect that China is behind the campaign, which consisted of months-long, stealthy data exfiltration.
The breach was initially thought to have impacted the Office of Personnel Management (OPM) and the Department of Interior, but further investigation has revealed that the victims come from nearly every government agency. There are 2.7 million federal executive branch employees actively employed, so it’s a good bet that this compromise affects most of them. Investigators are still struggling to assess the damage.
Employees of the legislative and judicial branches, and uniformed military personnel, were not affected.
The Department of Homeland Security discovered the breach in April, it said, but it wasn’t until May that it became clear that personally identifiable information (PII) had been misused. The government’s intrusion detection system, known as EINSTEIN, identified the hack of OPM's systems and the Interior Department's data center, which is shared by other federal agencies—but not before millions of records had been copied and removed.
China meanwhile denied the allegations, and essentially said, “Prove it.”
"Cyberattacks conducted across countries are hard to track, and therefore the source of attacks is difficult to identify," said Zhu Haiquan, spokesman from the Chinese Embassy in Washington DC, speaking to CNN. “Jumping to conclusions and making hypothetical accusations is not responsible and [is] counterproductive.”
But, US officials told CNN that hackers working as part of the Chinese military are likely behind this, as part of their efforts to build a massive database on American citizens—for what purpose, we don’t yet know. OPM, the human resources arm for the government and the department that conducts background checks—is a rich target for that effort.
"Given what OPM does around security clearances, and the level of detail they acquire when doing these investigations, both on the subjects of the investigations and their contacts and references, it would be a vast amount of information," said Rick Holland, an information security analyst at Forrester Research.
Others suspect a more pedestrian motive: money.
“Cyber espionage by state-sponsored actors is in fact cybercrime. China and Russia signed a no-hack agreement last month likely, in part, because one is the producer (China) and the other is the marketer (Russia) of today’s cybercrime, now a world-sized cottage industry,” Jason Polancich, founder and chief architect at SurfWatch Labs, told Infosecurity. “PII is becoming major trade around the world, and governments outside the US are scrambling to get a foothold anywhere in the cyber-catalyzed global market economy to gain an advantage.”
Legislators and security experts alike have issued a flood of horrified statements.
"It is disturbing to learn that hackers could have sensitive personal information on a huge number of current and former federal employees—and, if media reports are correct, that information could be in the hands of China," said Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, (R-Wisconsin), in a statement. "[The office] says it 'has undertaken an aggressive effort to update its cybersecurity posture.' Plainly, it must do a better job, especially given the sensitive nature of the information it holds."
And according to Rep. Adam Schiff of California, the top Democrat on the House Intelligence Committee, "It's clear that a substantial improvement in our cyber databases and defenses is perilously overdue. “ He added, "That's why the House moved forward on cybersecurity legislation earlier this year, and it's my hope that this latest incident will spur the Senate to action."
Andy Hayter, security evangelist for G DATA, had this take: “I have to think that it must appear to threat actors all over the globe that the US government's IT systems are full of holes, like Swiss cheese, and the response from the US is to play whack-a-mole every time, in a valiant attempt to close each hole.”
Ouch.
The issue as well is a lack of transparency. “Unfortunately, the real, most helpful details in this latest attack are not being shared outside very stove-piped lines,” Polancich said. “At least not yet. Given the frequency and broad nature of these breaches, the government needs to open kimono from here in a more direct and official way. They need to practice what they preach with respect to information sharing. That would help discovery and response immediately for other industries; just pointing fingers at China is getting old.”
It’s clear that the government—which is still recovering from a hack on the IRS, needs to move past checkbox compliance efforts.
“[It should] regularly conduct complete audits of each and every system, using experienced penetration testers who can help them continuously find and fix vulnerabilities,” Hayter said. “They must put immediate plans into action to close these holes before the bad guys have the opportunity to breach any more systems and steal sensitive information. While these latest breaches at the IRS and OPM only exposed personal information, what’s to stop more sophisticated threat actors who want to jeopardize our homeland security?”