Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:50 PM
Connect Directly

OPM Breach: Two Waves Of Attacks Likely Connected, Congressional Probe Concludes

Congressional investigation sheds more light on what went down in the massive Office of Personnel Management breach, says data theft was preventable.

Nation-state threat actors that at one point online used the alter-ego monikers of Captain America and IronMan likely worked in tandem in two sets of attacks in order to case the Office of Personnel Management’s (OPM) network and system infrastructure and then systematically steal personal information of more than 22 million Americans, according to the results of a year-long congressional investigation published today.

The House Committee on Oversight and Government Reform, led by chairman Jason Chaffetz (R-Utah), concluded that OPM’s reported data breaches in 2014 and 2015 “were likely connected and possibly coordinated,” which had been a widely held theory by cyber espionage security experts.

“We believe it happened from overseas,” Chaffetz said today at an event at think-tank American Enterprise Institute (AEI) in Washington, DC, announcing the results of the committee’s probe into the OPM breach. He said the committee stopped short of identifying the attackers’ specific origin, however.

The attackers, who security experts believe worked on behalf of the Chinese government for cyber espionage reasons, pilfered the OPM VPN credentials of OPM contractor Keypoint Systems and then were able to move laterally under the guise of a legitimate contractor, Jeff Wagner, OPM’s director of IT security operations, told the House committee during an interview earlier this year.

The report says the March 2014 breach is likely the handiwork of Axiom and the April 2015, Deep Panda aka Shell Crew—both of which were on behalf of a wider attack campaign against federal government employees. Deep Panda is thought to be behind the Wellpoint/Anthem, among other victims, but the report confirms that the 2015 Anthem breach was conducted by another group, not the ones behind OPM.

Both Axiom and Deep Panda are known by security experts as Chinese nation-state threat groups that conduct cyber espionage. The report says the two groups used similar malware, attack infrastructure, and MO’s in their attacks on OPM.

Today’s report, written by the majority Republican staff on the committee, paints a scathing review of the OPM’s response to the first wave of attacks, as well as OPM’s lack of proper user authentication and authorization to its systems and deployment of dated technology, all of which the report said left the agency vulnerable to the attackers.

According to Chaffetz, by the time the US-CERT had notified OPM in March 2014 that a third party had spotted data being exfiltrated from OPM systems, the attackers already had obtained a “roadmap” of OPM’s network and systems to aid in their efforts to further access and pilfer sensitive data.

“We know that by the beginning of 2014, two [attackers] had already penetrated and successfully established a presence on the network” at OPM, Chaffetz said. He added that had the agency been logging network activity, it could have detected the nefarious traffic.

“The documents taken in 2014 gave them an advantage in hacking” further into the OPM systems, he said of the attackers. “[OPM] didn’t know there was a second attacker in their system. They thought there was one, but there were actually two. While OPM was trying to reset and kick out the first, the startling reality is that the second likely related attacker was already roaming … We believe there is a correlation between the two” attackers, he said.

OPM could have thwarted further damage if they had properly secured its data in March 2014 and then “pulled the plug” to protect the security clearance database. The further attack and exfiltration of data “was preventable,” he said.

“It [the OPM breach] will affect people from the mid-80s if they applied for a federal government job then. They may not have gotten a job, and their information was still breached along the way,” Chaffetz noted on the range of data stolen.

The House committee report criticized OPM for not publicly disclosing the 2014 breach, and later declaring the 2014 and 2015 attackers were unrelated. The first attack wave—dubbed by congressional committee as “Hacker X1”—was the attacker searching for security clearance background investigation data who was spotted and then removed by OPM during its incident response phase in May 2014. Meanwhile, “Hacker X2” was still at work unbeknownst to OPM, the report said, and pilfered the background investigations data by early August 2014, and then the fingerprint data in March 2015.

All told, some 21.5 million individuals had their social security numbers, residency and employment history, family, health, and financial history exposed in the massive data breach of OPM's background-check investigation database. Of the 19.7 million individuals who had applied for the background checks, 1.1 million had their fingerprint scans exposed as well. The remaining 1.8 million people affected by the breach were spouses or other members of the applicants' households.

The Democratic ranking minority member of the committee, Elijah Cummings (D-Md.), took issue with the Republican-led committee laying all of the blame on OPM -- including its criticism of then-CIO of OPM Donna Seymour. Cummings maintained in a memo released today that several contractors also had been breached in what likely was a more wide-range attack campaign by the threat group.

“Today’s Republican staff report reaches conclusions that are contrary to the facts we found during our investigation,”Cummings said in a statement. “The Committee’s year-long investigation into the data breaches showed that no one from the Intelligence Community or anywhere else detected the presence of the attackers and that these cyber spies were caught only with cutting-edge tools that OPM had deployed.”

Cummings also pointed out that the committee had found there was a “well-planned campaign” by the attackers to go after OPM as well as government contractors the agency worked with, including Keypass and USIS. He also reiterated that earlier reports that contractor CyTech Services first discovered the breach were inaccurate; it was instead found by the agency’s Cylance security tool, CylanceProtect, that it ran after discovering malware on its systems.

OPM previously had been running Cylance’s V scanning tool, but after the April 2015 discovery of suspicious traffic to a so-called ‘opmsecurity.org’ domain that had been registered to “Steve Rogers” (aka Captain America) in April 2014, the agency called in Cylance. The OPM attackers also used the name Tony Stark, aka IronMan, in their hacks.

“We put a man on the ground that afternoon and spent the next couple of days going through everything,” says Stuart McClure, president of Cylance.

OPM then installed Cylance’s Protect endpoint detection and prevention tool across 13,000 of its nodes, and according to the report, malware alerts “lit up like a Christmas tree” as more infections were discovered.

“We found over 2,000 pieces of malware and two different Chinese groups” on their systems, McClure says.

The endpoint installation was too late to thwart the exfiltration, however: the attackers had dropped PlugX on one of the key Microsoft SQL Servers in the agency and by June 23 of 2014, had made their way to the agency’s PIPS mainframe, where the background investigation data was stored. They siphoned that background information by August 2014, personnel records in December of 2014, and fingerprint data in March of 2015, the committee’s report said.

Chaffetz said legacy systems at OPM were unable to support encryption, for example, and that OPM in fiscal years 2013, 2014, and 2015, spent $7 million per year on cybersecurity, “the lowest” among most agencies, which on average spend $13- 15 million, he said. OPM also had “one of the weakest authentication profiles in the government,” with just one percent of its users required to use multi-factor authentication card access to its systems.

He went on to say that OPM didn’t appear to understand the “level of sophistication and seriousness of the attackers” amid an IT environment that was poorly secured.

The report concludes that OPM failed to improve its security over the past decade, despite multiple reports and warnings of deficiencies by the OPM Inspector General, including a poor FISMA audit.

Zero Trust

The report recommends that OPM adopt the so-called “zero trust” model for authentication, where users inside and outside the organization require multiple levels of authentication and authorization to access data.

“The zero trust model requires strictly enforced user controls to ensure limited access for all users and assumes that all traffic traveling over an organization’s network is threat traffic until authorized by the IT team,” the report said. That requires the agency to log all of its network traffic and deploy “strong access controls” for employees and contractors, the report said.

Claude Barfield, a resident scholar at AEI, said the federal government must start approaching cybersecurity more proactively in this age of cyber espionage.i

“We need to be much more proactive and preemptive and not wait for an attack to occur,” Barfield said at today’s event. “To have the capacity to identify attacks from nation-states and state-sponsored and to stop them in process.”

Related Content:




Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/30/2016 | 9:59:59 AM
Cyber security
It is great that congressional probe has been carried out and issues of such stature must be discussed with higher based authorities. It is also important for users to encrypt their data and also deploy vpn server, purevpn, to access the web freely. 
Jon M. Kelley
Jon M. Kelley,
User Rank: Moderator
9/13/2016 | 5:54:31 PM
Quote from the above story:

"Of the 19.7 million individuals who had applied for the background checks, 1.1 million had their fingerprint scans exposed as well. The remaining 1.8 million people affected by the breach were spouses or other members of the applicants' households."


Do the math.  The above qoute shows that people with clearances live & with the help of OPM die alone.  Since ex-spouses & ex-significant others & children are on your report forever, most people with clearances never had a significant relationship, much less a child. 

So, it's no wonder our government is having great trouble attracting people to get cleared, they are a dying breed.


Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).