How the Office of Personnel Management Hack Started
(Bloomberg) -- The vast cyber-attack in Washington began with, of all things, travel reservations.
More than two years ago, troves of personal data were stolen from U.S. travel companies. Hackers subsequently made off with health records at big insurance companies and infiltrated federal computers where they stole personnel records on 21.5 million people -- in what apparently is the largest such theft of U.S. government records in history.
Those individual attacks, once believed to be unconnected, now appear to be part of a coordinated campaign by Chinese hackers to collect sensitive details on key people that went on far longer -- and burrowed far deeper -- than initially thought.
But time and again, U.S. authorities missed clues connecting one incident to the next. Interviews with federal investigators and cybersecurity experts paint a troubling portrait of what many are calling a serious failure of U.S. intelligence agencies to spot the pattern or warn potential victims. Moreover, the problems in Washington add new urgency to calls for vigilance in the private sector.
In revealing the scope of stolen government data on Thursday, Obama administration officials declined to identify a perpetrator. Investigators say the Chinese government was almost certainly behind the effort, an allegation China has vehemently denied.
Facebook of Intelligence’
Some investigators suspect the attacks were part of a sweeping campaign to create a database on Americans that could be used to obtain commercial and government secrets.
“China is building the Facebook of human intelligence capabilities,” said Adam Meyers, vice president of intelligence for cybersecurity company CrowdStrike Inc. “This appears to be a real maturity in the way they are using cyber to enable broader intelligence goals.”
The most serious breach of records occurred at the U.S. Office of Personnel Management, where records for every person given a government background check for the past 15 years may have been compromised. The head of the government personnel office, Katherine Archuleta, resigned Friday as lawmakers demanded to know what went wrong.
The campaign began in early 2013 with the travel records, said Laura Galante, manager of threat intelligence for FireEye Inc., a private security company that has been investigating the cyber-attacks.
By mid-2014, it became clear that the hackers were stockpiling health records, Social Security numbers and other personal information on Americans - a departure from the country’s traditional espionage operations focusing on the theft of military and civilian technology.
“There was a clear and apparent shift,” said Jordan Berry, an analyst at FireEye.
Recognition came too late for many of the victims. Vendors of security devices say health-care companies are spending tens of millions of dollars this year to upgrade their computer systems but much of the data is already gone.
U.S. intelligence agencies were collecting information on the theft of personal data but failed to understand the scope and potential damage from the aggressive Chinese operation, according to one person familiar with the government assessment of what went wrong.
In the last two years, much of the attention of U.S. national security agencies was focused on defending against cyber-attacks aimed at disrupting critical infrastructure like power grids.
But health-care, financial and work-related data has its own espionage value. It can be used in targeted intelligence operations to further penetrate vital U.S. networks or blackmail officials, said Representative Michael McCaul, a Texas Republican and chairman of the House Homeland Security Committee.
Security companies including FireEye and ThreatConnect Inc. say the tactics and technology used in the attacks point to hackers in China, which are consistent with Chinese government espionage. Director of National Intelligence James Clapper said last month that China was “the leading suspect.”
Zhu Haiquan, a spokesman for the Chinese embassy in Washington, denied the allegation and said in an e-mail the Chinese government doesn’t engage in cyber-attacks.
As far back as November 2013, hackers began rummaging through documents for configuring computer servers at the Office of Personnel Management. That breach wasn’t discovered until March 2014, Donna Seymour, the agency’s chief information officer, told a Congressional committee last month. The hackers then returned in June 2014 and went undetected until this past April, she said.
That initial breach gave hackers access to manuals about the agency’s servers and information technology. That, in turn, propelled the second wave of attacks.
“When this plays out, we’re going to find that this was the step that allowed them to come back and why we’re in this mess today,” said Representative Jason Chaffetz, a Utah Republican.
U.S. Investigative Services disclosed last August that it had been breached, and in December a breach at KeyPoint Government Solutions Inc. was revealed. It’s unclear how long hackers were inside the two companies.
Eric Hess, KeyPoint’s chief executive officer, and Rob Giannetta, USIS’ chief information officer, have said their companies weren’t notified about the problems at the Office of Personnel Management, even though they should have been under contractual obligations.
The agency disputes those assertions and says it shared information with the two companies, as well as CACI International Inc., another contractor.
The hackers eventually obtained log-in credentials of a KeyPoint employee in late 2014 which they used to further penetrate the agency’s network.
The cyber-attacks were mostly discovered by accident -- or only once the attackers had time to burrow deeply into computer systems and steal volumes of data. Some of the targets were attacked multiple times.
Attackers were inside health-insurer Anthem Inc.’s Indianapolis, Indiana-based network for 10 months before being discovered, according to a person familiar with the matter, who asked to remain anonymous given the sensitivity of the breach. The company disclosed in February that hackers may have compromised personal data for as many as 80 million people.
Anthem spokeswoman Kristin Binns said the company’s information security procedures worked and enabled the company to detect the cyber-attack.
The Office of the Director of National Intelligence declined to comment on whether it issued specific warnings related to the attacks, but it does routinely provide such alerts, spokeswoman Kathleen Butler said.
Around the same time as the Anthem attack, the FBI warned companies of cyber-attacks from infrastructure within China aimed at stealing sensitive business and personal data. But the alert came more than a year after the attacks first began, private investigators now conclude. Health insurers Premera Blue Cross, serving Washington state, and Carefirst Inc., based in Maryland, disclosed their networks had been breached in May, becoming the latest known campaign victims.
The FBI declined to comment on whether warning signs were missed, but FBI Director James Comey told members of Congress Wednesday that he was also a victim of the Office of Personnel Management attack. The hackers likely now have his SF-86 form, a detailed questionnaire for applying for national security positions in the U.S. government.
“So it’s not just my identity that’s affected, it’s you know -- I got siblings, I got five kids,” Comey told members of the Senate intelligence committee. “All of that is in there, and so the numbers quickly grow far beyond the number of federal employees, which is millions over the last 20 years.”