Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/7/2016
02:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

OPM Breach: Two Waves Of Attacks Likely Connected, Congressional Probe Concludes

Congressional investigation sheds more light on what went down in the massive Office of Personnel Management breach, says data theft was preventable.

Nation-state threat actors that at one point online used the alter-ego monikers of Captain America and IronMan likely worked in tandem in two sets of attacks in order to case the Office of Personnel Management’s (OPM) network and system infrastructure and then systematically steal personal information of more than 22 million Americans, according to the results of a year-long congressional investigation published today.

The House Committee on Oversight and Government Reform, led by chairman Jason Chaffetz (R-Utah), concluded that OPM’s reported data breaches in 2014 and 2015 “were likely connected and possibly coordinated,” which had been a widely held theory by cyber espionage security experts.

“We believe it happened from overseas,” Chaffetz said today at an event at think-tank American Enterprise Institute (AEI) in Washington, DC, announcing the results of the committee’s probe into the OPM breach. He said the committee stopped short of identifying the attackers’ specific origin, however.

The attackers, who security experts believe worked on behalf of the Chinese government for cyber espionage reasons, pilfered the OPM VPN credentials of OPM contractor Keypoint Systems and then were able to move laterally under the guise of a legitimate contractor, Jeff Wagner, OPM’s director of IT security operations, told the House committee during an interview earlier this year.

The report says the March 2014 breach is likely the handiwork of Axiom and the April 2015, Deep Panda aka Shell Crew—both of which were on behalf of a wider attack campaign against federal government employees. Deep Panda is thought to be behind the Wellpoint/Anthem, among other victims, but the report confirms that the 2015 Anthem breach was conducted by another group, not the ones behind OPM.

Both Axiom and Deep Panda are known by security experts as Chinese nation-state threat groups that conduct cyber espionage. The report says the two groups used similar malware, attack infrastructure, and MO’s in their attacks on OPM.

Today’s report, written by the majority Republican staff on the committee, paints a scathing review of the OPM’s response to the first wave of attacks, as well as OPM’s lack of proper user authentication and authorization to its systems and deployment of dated technology, all of which the report said left the agency vulnerable to the attackers.

According to Chaffetz, by the time the US-CERT had notified OPM in March 2014 that a third party had spotted data being exfiltrated from OPM systems, the attackers already had obtained a “roadmap” of OPM’s network and systems to aid in their efforts to further access and pilfer sensitive data.

“We know that by the beginning of 2014, two [attackers] had already penetrated and successfully established a presence on the network” at OPM, Chaffetz said. He added that had the agency been logging network activity, it could have detected the nefarious traffic.

“The documents taken in 2014 gave them an advantage in hacking” further into the OPM systems, he said of the attackers. “[OPM] didn’t know there was a second attacker in their system. They thought there was one, but there were actually two. While OPM was trying to reset and kick out the first, the startling reality is that the second likely related attacker was already roaming … We believe there is a correlation between the two” attackers, he said.

OPM could have thwarted further damage if they had properly secured its data in March 2014 and then “pulled the plug” to protect the security clearance database. The further attack and exfiltration of data “was preventable,” he said.

“It [the OPM breach] will affect people from the mid-80s if they applied for a federal government job then. They may not have gotten a job, and their information was still breached along the way,” Chaffetz noted on the range of data stolen.

The House committee report criticized OPM for not publicly disclosing the 2014 breach, and later declaring the 2014 and 2015 attackers were unrelated. The first attack wave—dubbed by congressional committee as “Hacker X1”—was the attacker searching for security clearance background investigation data who was spotted and then removed by OPM during its incident response phase in May 2014. Meanwhile, “Hacker X2” was still at work unbeknownst to OPM, the report said, and pilfered the background investigations data by early August 2014, and then the fingerprint data in March 2015.

All told, some 21.5 million individuals had their social security numbers, residency and employment history, family, health, and financial history exposed in the massive data breach of OPM's background-check investigation database. Of the 19.7 million individuals who had applied for the background checks, 1.1 million had their fingerprint scans exposed as well. The remaining 1.8 million people affected by the breach were spouses or other members of the applicants' households.

The Democratic ranking minority member of the committee, Elijah Cummings (D-Md.), took issue with the Republican-led committee laying all of the blame on OPM -- including its criticism of then-CIO of OPM Donna Seymour. Cummings maintained in a memo released today that several contractors also had been breached in what likely was a more wide-range attack campaign by the threat group.

“Today’s Republican staff report reaches conclusions that are contrary to the facts we found during our investigation,”Cummings said in a statement. “The Committee’s year-long investigation into the data breaches showed that no one from the Intelligence Community or anywhere else detected the presence of the attackers and that these cyber spies were caught only with cutting-edge tools that OPM had deployed.”

Cummings also pointed out that the committee had found there was a “well-planned campaign” by the attackers to go after OPM as well as government contractors the agency worked with, including Keypass and USIS. He also reiterated that earlier reports that contractor CyTech Services first discovered the breach were inaccurate; it was instead found by the agency’s Cylance security tool, CylanceProtect, that it ran after discovering malware on its systems.

OPM previously had been running Cylance’s V scanning tool, but after the April 2015 discovery of suspicious traffic to a so-called ‘opmsecurity.org’ domain that had been registered to “Steve Rogers” (aka Captain America) in April 2014, the agency called in Cylance. The OPM attackers also used the name Tony Stark, aka IronMan, in their hacks.

“We put a man on the ground that afternoon and spent the next couple of days going through everything,” says Stuart McClure, president of Cylance.

OPM then installed Cylance’s Protect endpoint detection and prevention tool across 13,000 of its nodes, and according to the report, malware alerts “lit up like a Christmas tree” as more infections were discovered.

“We found over 2,000 pieces of malware and two different Chinese groups” on their systems, McClure says.

The endpoint installation was too late to thwart the exfiltration, however: the attackers had dropped PlugX on one of the key Microsoft SQL Servers in the agency and by June 23 of 2014, had made their way to the agency’s PIPS mainframe, where the background investigation data was stored. They siphoned that background information by August 2014, personnel records in December of 2014, and fingerprint data in March of 2015, the committee’s report said.

Chaffetz said legacy systems at OPM were unable to support encryption, for example, and that OPM in fiscal years 2013, 2014, and 2015, spent $7 million per year on cybersecurity, “the lowest” among most agencies, which on average spend $13- 15 million, he said. OPM also had “one of the weakest authentication profiles in the government,” with just one percent of its users required to use multi-factor authentication card access to its systems.

He went on to say that OPM didn’t appear to understand the “level of sophistication and seriousness of the attackers” amid an IT environment that was poorly secured.

The report concludes that OPM failed to improve its security over the past decade, despite multiple reports and warnings of deficiencies by the OPM Inspector General, including a poor FISMA audit.

Zero Trust

The report recommends that OPM adopt the so-called “zero trust” model for authentication, where users inside and outside the organization require multiple levels of authentication and authorization to access data.

“The zero trust model requires strictly enforced user controls to ensure limited access for all users and assumes that all traffic traveling over an organization’s network is threat traffic until authorized by the IT team,” the report said. That requires the agency to log all of its network traffic and deploy “strong access controls” for employees and contractors, the report said.

Claude Barfield, a resident scholar at AEI, said the federal government must start approaching cybersecurity more proactively in this age of cyber espionage.i

“We need to be much more proactive and preemptive and not wait for an attack to occur,” Barfield said at today’s event. “To have the capacity to identify attacks from nation-states and state-sponsored and to stop them in process.”

Related Content:

 

 

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Jon M. Kelley
50%
50%
Jon M. Kelley,
User Rank: Moderator
9/13/2016 | 5:54:31 PM
Monks?
Quote from the above story:

"Of the 19.7 million individuals who had applied for the background checks, 1.1 million had their fingerprint scans exposed as well. The remaining 1.8 million people affected by the breach were spouses or other members of the applicants' households."

 

Do the math.  The above qoute shows that people with clearances live & with the help of OPM die alone.  Since ex-spouses & ex-significant others & children are on your report forever, most people with clearances never had a significant relationship, much less a child. 

So, it's no wonder our government is having great trouble attracting people to get cleared, they are a dying breed.

 

 
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
9/30/2016 | 9:59:59 AM
Cyber security
It is great that congressional probe has been carried out and issues of such stature must be discussed with higher based authorities. It is also important for users to encrypt their data and also deploy vpn server, purevpn, to access the web freely. 
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.