Home SecurityData Breach The OPM hack explained: Bad security practices meet China’s Captain America

The OPM hack explained: Bad security practices meet China’s Captain America

by ethhack

In April of 2015, IT staffers within the United States Office of Personnel Management (OPM), the agency that manages the government’s civilian workforce, discovered that some of its personnel files had been hacked. Among the sensitive data that was exfiltrated were millions of SF-86 forms, which contain extremely personal information gathered in background checks for people seeking government security clearances, along with records of millions of people’s fingerprints. The OPM breach led to a Congressional investigation and the resignation of top OPM executives, and its full implications—for national security, and for the privacy of those whose records were stolen—are still not entirely clear.

OPM hack timeline

As the official Congressional report on the incident says, “The exact details of how and when the attackers gained entry … are not exactly clear.” Nevertheless, researchers have been able to construct a rough timeline of when the breaches began and what the attackers did.

The hack began in November of 2013, when the attackers first breached OPM networks. This attacker or group is dubbed X1 by the Congressional OPM data breach report. While X1 wasn’t able to access any personnel records at that time, they did manage to exfiltrate manuals and IT system architecture information. The next month, in December of 2013, is when we definitively know that attackers were attempting to breach the systems of two contractors, USIS and KeyPoint, who conducted background checks on government employees and had access to OPM servers (though USIS may have actually been breached months earlier).

In March of 2014, OPM officials realized they’d been hacked. However, they didn’t publicize the breach at that time, and, having determined that the attackers were confined to a part of the network that didn’t have any personnel data, OPM officials chose to allow the attackers to remain so they could monitor them and gain counterintelligence. OPM did plan for what they called the “big bang”—a system reset that would purge the attackers from the system—which they implemented on May 27, 2014, when the attackers began to load keyoggers onto database administrators’ workstations.

Unfortunately, on May 7, 2014, an attacker or group dubbed X2by the report had used credentials stolen from KeyPoint to establish another foothold in the OPM network and install malware there to create a backdoor. This breach went undetected and the “big bang” didn’t remove X2’s access or the backdoor. In July and August of 2014, these attackers exfiltrated the background investigation data from OPM’s systems.

They weren’t done, though: by October 2014, the attackers had moved through the OPM environment to breach a Department of Interior server where personnel records were stored, and in December 2014 another 4.2 million personnel records were exfiltrated. Fingerprint data was exfiltrated in late March of 2015; finally, on April 15, 2015, security personnel noticed unusual activity within the OPM’s networks, which quickly led them to realize that attackers still had a foothold in their systems.

Copyright © 2020 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment