Actually, “hack” may not be the most accurate term for how China’s intelligence service gained access to practically every piece of sensitive information from every federal employee over the last 30 years. The better description is that the Office of Personnel Management handed someone the master key to the mansion and never noticed that their employee and his bestest buddies were robbing them blind for more than a year. Reuters reports today that the slow-roll theft was accomplished by a group tied to Chinese intelligence services, more or less confirming what had been speculated before:
The Chinese hacking group suspected of stealing sensitive information about millions of current and former U.S. government employees has a different mission and organizational structure than the military hackers who have been accused of other U.S. data breaches, according to people familiar with the matter.
While the Chinese People’s Liberation Army typically goes after defense and trade secrets, this hacking group has repeatedly accessed data that could be useful to Chinese counter-intelligence and internal stability, said two people close to the U.S. investigation. …
Sources told Reuters that the hackers employed a rare tool to take remote control of computers, dubbed Sakula, that was also used in the data breach at U.S. health insurer Anthem Inc last year.
The Anthem attack, in turn, has been tied to a group that security researchers said is affiliated with China’s Ministry of State Security, which is focused on government stability, counter-intelligence and dissidents. The ministry could not immediately be reached for comment.
Plus as the Washington Post notes, that year gave the intruders/welcomed guests lots of time to find all of the data they wanted to hijack. In fact, they were so thorough that OPM still doesn’t know exactly what was taken:
The discovery of that breach followed the detection in April of the compromise of a personnel database containing Social Security numbers and other personal information of 4.1 million current and former federal employees. That hack dates back to December, officials said.
In the case of the personnel database, the time between breach and discovery was four months — much shorter than the one-year interval for the security clearance system.
OPM officials are still trying to determine how much data was actually stolen and who was affected. The background-check system is complex and antiquated, made up of many databases and fed by numerous agencies. The OPM emphasized that it has tried since last year to put in place stronger detection and prevention. Some U.S. officials say the OPM has been stymied by bureaucratic hurdles.
Oh, please. The intruders didn’t need to hack into the system; OPM left the door wide open. They contracted with people who gained root access to the systems, and who turned out to be working not just for the People’s Republic of China, but actually in the PRC.
“If it’s nation state attackers,” Wysopal said, “I assume it will be more phishing style attacks to compromise someone’s home network—getting the information of someone’s family members and them. So I think of [the hack] as a really sophisticated precursor attack to getting at something that is really more of the ultimate target of the hack.” …
It’s this kind of information that can give cunning hackers the ability to commit identity fraud, construct sophisticated e-mail scams known as phishing attacks, and lead to even more damaging cyberattacks seeking higher value information.
“It’s likely this attack is less about money, but more about gaining deeper access to other systems and agencies,” said Mark Bower, a security expert with Hewlett-Packard.
In fact, he said, some of this information could give criminal hackers the raw materials to construct targeted e-mail attacks with the aim of getting access to data about economic policy plans, military and defense data sets, or for committing intellectual property theft.
In other words, now would be an excellent time for those whose data resided at OPM to change passwords, wireless network IDs, and perhaps even bank accounts. Or it might already be too late.
Good thing Barack Obama has complete confidence in OPM, eh?