Nation-state threat actors that at one point online used the alter-ego monikers of Captain America and IronMan likely worked in tandem in two sets of attacks in order to case the Office of Personnel Management’s (OPM) network and system infrastructure and then systematically steal personal information of more than 22 million Americans, according to the results of a year-long congressional investigation published today.

The House Committee on Oversight and Government Reform, led by chairman Jason Chaffetz (R-Utah), concluded that OPM’s reported data breaches in 2014 and 2015 “were likely connected and possibly coordinated,” which had been a widely held theory by cyber espionage security experts.

“We believe it happened from overseas,” Chaffetz said today at an event at think-tank American Enterprise Institute (AEI) in Washington, DC, announcing the results of the committee’s probe into the OPM breach. He said the committee stopped short of identifying the attackers’ specific origin, however.

The attackers, who security experts believe worked on behalf of the Chinese government for cyber espionage reasons, pilfered the OPM VPN credentials of OPM contractor Keypoint Systems and then were able to move laterally under the guise of a legitimate contractor, Jeff Wagner, OPM’s director of IT security operations, told the House committee during an interview earlier this year.

The report says the March 2014 breach is likely the handiwork of Axiom and the April 2015, Deep Panda aka Shell Crew—both of which were on behalf of a wider attack campaign against federal government employees. Deep Panda is thought to be behind the Wellpoint/Anthem, among other victims, but the report confirms that the 2015 Anthem breach was conducted by another group, not the ones behind OPM.

Both Axiom and Deep Panda are known by security experts as Chinese nation-state threat groups that conduct cyber espionage. The report says the two groups used similar malware, attack infrastructure, and MO’s in their attacks on OPM.

Today’s report, written by the majority Republican staff on the committee, paints a scathing review of the OPM’s response to the first wave of attacks, as well as OPM’s lack of proper user authentication and authorization to its systems and deployment of dated technology, all of which the report said left the agency vulnerable to the attackers.

According to Chaffetz, by the time the US-CERT had notified OPM in March 2014 that a third party had spotted data being exfiltrated from OPM systems, the attackers already had obtained a “roadmap” of OPM’s network and systems to aid in their efforts to further access and pilfer sensitive data.

“We know that by the beginning of 2014, two [attackers] had already penetrated and successfully established a presence on the network” at OPM, Chaffetz said. He added that had the agency been logging network activity, it could have detected the nefarious traffic.

“The documents taken in 2014 gave them an advantage in hacking” further into the OPM systems, he said of the attackers. “[OPM] didn’t know there was a second attacker in their system. They thought there was one, but there were actually two. While OPM was trying to reset and kick out the first, the startling reality is that the second likely related attacker was already roaming … We believe there is a correlation between the two” attackers, he said.

OPM could have thwarted further damage if they had properly secured its data in March 2014 and then “pulled the plug” to protect the security clearance database. The further attack and exfiltration of data “was preventable,” he said.

“It [the OPM breach] will affect people from the mid-80s if they applied for a federal government job then. They may not have gotten a job, and their information was still breached along the way,” Chaffetz noted on the range of data stolen.

The House committee report criticized OPM for not publicly disclosing the 2014 breach, and later declaring the 2014 and 2015 attackers were unrelated. The first attack wave—dubbed by congressional committee as “Hacker X1”—was the attacker searching for security clearance background investigation data who was spotted and then removed by OPM during its incident response phase in May 2014. Meanwhile, “Hacker X2” was still at work unbeknownst to OPM, the report said, and pilfered the background investigations data by early August 2014, and then the fingerprint data in March 2015.

All told, some 21.5 million individuals had their social security numbers, residency and employment history, family, health, and financial history exposed in the massive data breach of OPM's background-check investigation database. Of the 19.7 million individuals who had applied for the background checks, 1.1 million had their fingerprint scans exposed as well. The remaining 1.8 million people affected by the breach were spouses or other members of the applicants' households.

The Democratic ranking minority member of the committee, Elijah Cummings (D-Md.), took issue with the Republican-led committee laying all of the blame on OPM -- including its criticism of then-CIO of OPM Donna Seymour. Cummings maintained in a memo released today that several contractors also had been breached in what likely was a more wide-range attack campaign by the threat group.

“Today’s Republican staff report reaches conclusions that are contrary to the facts we found during our investigation,”Cummings said in a statement. “The Committee’s year-long investigation into the data breaches showed that no one from the Intelligence Community or anywhere else detected the presence of the attackers and that these cyber spies were caught only with cutting-edge tools that OPM had deployed.”

Cummings also pointed out that the committee had found there was a “well-planned campaign” by the attackers to go after OPM as well as government contractors the agency worked with, including Keypass and USIS. He also reiterated that earlier reports that contractor CyTech Services first discovered the breach were inaccurate; it was instead found by the agency’s Cylance security tool, CylanceProtect, that it ran after discovering malware on its systems.

OPM previously had been running Cylance’s V scanning tool, but after the April 2015 discovery of suspicious traffic to a so-called ‘opmsecurity.org’ domain that had been registered to “Steve Rogers” (aka Captain America) in April 2014, the agency called in Cylance. The OPM attackers also used the name Tony Stark, aka IronMan, in their hacks.

“We put a man on the ground that afternoon and spent the next couple of days going through everything,” says Stuart McClure, president of Cylance.

OPM then installed Cylance’s Protect endpoint detection and prevention tool across 13,000 of its nodes, and according to the report, malware alerts “lit up like a Christmas tree” as more infections were discovered.

“We found over 2,000 pieces of malware and two different Chinese groups” on their systems, McClure says.

The endpoint installation was too late to thwart the exfiltration, however: the attackers had dropped PlugX on one of the key Microsoft SQL Servers in the agency and by June 23 of 2014, had made their way to the agency’s PIPS mainframe, where the background investigation data was stored. They siphoned that background information by August 2014, personnel records in December of 2014, and fingerprint data in March of 2015, the committee’s report said.

Chaffetz said legacy systems at OPM were unable to support encryption, for example, and that OPM in fiscal years 2013, 2014, and 2015, spent $7 million per year on cybersecurity, “the lowest” among most agencies, which on average spend $13- 15 million, he said. OPM also had “one of the weakest authentication profiles in the government,” with just one percent of its users required to use multi-factor authentication card access to its systems.

He went on to say that OPM didn’t appear to understand the “level of sophistication and seriousness of the attackers” amid an IT environment that was poorly secured.

The report concludes that OPM failed to improve its security over the past decade, despite multiple reports and warnings of deficiencies by the OPM Inspector General, including a poor FISMA audit.

Zero Trust

The report recommends that OPM adopt the so-called “zero trust” model for authentication, where users inside and outside the organization require multiple levels of authentication and authorization to access data.

“The zero trust model requires strictly enforced user controls to ensure limited access for all users and assumes that all traffic traveling over an organization’s network is threat traffic until authorized by the IT team,” the report said. That requires the agency to log all of its network traffic and deploy “strong access controls” for employees and contractors, the report said.

Claude Barfield, a resident scholar at AEI, said the federal government must start approaching cybersecurity more proactively in this age of cyber espionage.i

“We need to be much more proactive and preemptive and not wait for an attack to occur,” Barfield said at today’s event. “To have the capacity to identify attacks from nation-states and state-sponsored and to stop them in process.”

Related Content: