The 2015 Cyber-Attack against the Office of Personnel Management

The 2015 cyber-attack against the United States (US) Office of Personnel Management (OPM) is considered one of the largest data breaches in US history. In late-May of 2015, the US OPM announced that hackers had compromised approximately four million background investigations records used to grant security clearances (Barrett et al, 2015). The US Federal government relies on OPM to provide HR services, retirement, healthcare, and hiring policies for federal employees (US Office of Personnel Management, 2018). 

All civilian employees, military personnel, and contractors of the Federal government complete Standard Form 86 (SF-86) to apply for Confidential (C), Secret (S), Top Secret (TS), or Top Secret/Sensitive Compartmented Information (TS/SCI) security clearances. The SF-86 is a 127-page questionnaire with Personally Identifiable Information (PII) from current, former, and prospective security clearance applicants (Loveridge, 2013). The SF-86 contains more PIIs than any private industry record, including fingerprints, personal, health, financial, and credit information, names of friends, spouses, family members, and foreign contacts (Cylance, 2017). 

Timeline of the Cyber Attack Against OPM

On March 20, 2014, the first OPM data breach was discovered, but it is not clear when the cyber-attack started (US House of Representatives, 2016). After OPM discovered the intrusion, it determined that hackers had targeted information about top security clearances, but OPM informed other agencies that the network’s Intrusion Detection Systems (IDS) repelled the attack. The Obama administration withheld the news of the attack from the general public on the basis that no PIIs were compromised (Bisson, 2015).

The forensic analysis of the March 2014 breach revealed that OPM network architecture blueprints were stolen. The forensic team also found the domain registration for opmsecurity.org used to control the malware inside OPM’s network. The owner listed in opmsecurity.org domain registration was Steve Rogers – a Marvel Comics character who transforms into Captain America, a member of the Avengers. Typically, domain registrations with an Avengers’ name is a trademark of the People's Republic of China (PRC) Advanced Persistent Threat (APT), known as Unit 61398 (Koerner, 2016).

In March 2014, Jeff Wagner, OPM Director of IT Security Operations, recommended deploying Cylance security tools immediately after the initial cyber-attack (US House of Representatives, 2016). Cylance is a private company, which provided on-demand cybersecurity products and services to OPM. Cylance’s products and services are powered by artificial intelligence, and machine learning technology (McClurg, 2016). OPM management denied Jeff Wagner’s request. The bureaucracy, internal politics, and misplaced priorities at OPM delayed any urgent deployment of security tools (US House of Representatives, 2016). 

In May 2014, the Department of Homeland Security (DHS) sent the United States Computer Emergency Readiness Team (US-CERT) to assist OPM monitor and gather counterintelligence about the intruder, who was labeled Hacker X1. On May 7, 2014, while OPM and US-CERT monitored Hacker X1, a second intruder, Hacker X2, secretly installed malware to create a backdoor into OPM’s network. On May 27, 2014, OPM and DHS launched the Big Bang Plan to expel Hacker X1. However, by then Hacker X2 had already established an undetected backdoor to OPM’s network (US House of Representatives, 2016).

In June 2014, United States Investigation Services (USIS), a private government contractor notified OPM about another data breach of 25,000 government employee records. On June 17, after USIS notified fifteen other federal agencies about the attack, OPM canceled all USIS contracts. On July 9, the New York Times broke the news about the OPM Hack. In the meantime, Hacker X2 continued operating freely inside OPM’s network. On July 29, 2014, the hackers registered the domain opmlearning.org, as the command-and-control center to manage the new malware installed in OPM’s network (US House of Representatives, 2016).

From July to August 2014, Hacker X2 exfiltrated security clearance background investigation files. DHS suspended all USIS contracts, while press reports indicated that USIS data breach was a state-sponsored cyber-attack. Since the cyber-attacks against USIS and OPM were launched at approximately the same time, the Federal Bureau of Investigations (FBI) opened a criminal investigation. In September 2014, a data breach was detected at KeyPoint Government Solutions, a contractor for background investigations (Bisson, 2015).

In December 2014, Hacker X2 exfiltrated personnel records from OPM’s systems (US House of Representatives, 2016). In December 2014, another breach was discovered at KeyPoint, but OPM determined that no information was stolen (Koerner, 2016). On March 26, 2015, intruders began stealing OPM’s fingerprint data. On April 15, 2015, OPM acknowledged that since December 2014, hackers posed as KeyPoint Government Solutions to access OPM’s systems. On June 12, 2015, OPM concluded that a second breach was much larger than originally estimated (US House of Representatives, 2016). 

Hearings Before US Congress

On April 22, 2015, the House Oversight and Government Reform Committee interviewed several government officials including Donna Seymour, OPM Chief Information Officer (CIO). Seymour acknowledged that in March 2014, USIS and OPM were attacked almost simultaneously, but she assured Congress that OPM repelled the attack and implemented a better mitigation plan. On July 9, 2015, OPM acknowledged that the May 2015 data breach affected an estimated 21.5 million people (US House of Representatives, 2016). 

On June 16, 2015, OPM Director Katherine Archuleta testified before the House Oversight and Government Reform Committee and acknowledged that Social Security numbers were not encrypted due to OPM’s networks being too old. Archuleta and other OPM officials conceded that possibly more than 4.2 million PIIs were compromised (Bisson, 2015). After the hearings, Katherine Archuleta and Donna Seymour resigned as OPM Director and CIO respectively (Boyd, 2017). 

Attribution of the OPM Cyber Attack

The FBI determined that the OPM cyber-attacks pointed to the PRC. Since the stolen SF-86 records contained the applicant’s foreign contacts, the Chinese government could punish or blackmail any Chinese national who had contacts with US government personnel. Any foreign government could also use the SF-86 information to blackmail a US government employee or contractor into revealing classified information (Zetter, 2015). The cybersecurity firm iSight Partners identified similarities between a cyber-attack against Premera Blue Cross and Anthem, the US second-largest health insurance company, and the attack against OPM (Risen, 2015).

On August 27, 2017, the FBI arrested Yu Pingan, a Chinese citizen linked to the cyber-attacks against OPM (Perez, 2017). Yu Pingan, the hacker known as GoldSun, was charged with violations of the Computer Fraud and Abuse Act, and conspiracy to defraud the US. The case against Yu did not include the OPM breach. Instead, Yu was accused of selling a rare Trojan – the Sakula malware, which was used against OPM. Also, Yu and two other unnamed hackers were accused of cyber-attacks against four US-based companies, dating back to June of 2011, which also used the remote access Trojan (Moon, 2017).

Conclusion

From the 21.5 million SF-86 records stolen, 19.7 million were security clearance applicants, and 1.8 million were the applicants’ spouses or co-habitants. Also, 5.6 million records contained fingerprints (US Office of Personnel Management, 2015). Criminals could use the SF-86 data for identity theft. OPM set up a call center, a website, and identify theft-monitoring service to assist those affected. However, these services only provide general information (Zetter, 2015). The hackers stole almost 30 years' worth of data, such as social security numbers, and bank accounts (Moon, 2017).

Joel Brenner, former Senior Counsel to the National Security Agency (NSA) comments about the OPM Hack were, “This is crown jewel material... a gold mine for a foreign intelligence service”. Michael Hayden, former Director of the Central Intelligence Agency (CIA) said, “OPM data remains a treasure trove of information that is available to the Chinese until the people represented by the information age off. There’s no fixing it” (Office of the Director of National Intelligence, 2016). 

According to Schneier (2017), a consolidated class-action lawsuit was led by the National Treasury Employees Union (NTEU) over the 2015 OPM Hack in the district court in Washington, D.C. Also, a class-action lawsuit by the American Federation of Government Employees consolidated other lawsuits from across the country. In conclusion, this author believes OPM mislead US Congress, other government agencies, and the American people. Also, many former colleagues and military veterans who served this country honorably were affected by the cyber-attack against OPM, since they had to deal with the consequences of identity theft.

References

Barrett, D.; Yadron, D., and Paletta, D. (2015). U.S. Suspects Hackers in China Breached About 4 Million People's Records, Officials Say. The Wall Street Journal. Retrieved on April 17, 2018 from https://www.wsj.com/articles/u-s-suspects-hackers-in-china-behind-government-data-breach-sources-say-1433451888

Bisson, D. (2015). The OPM Breach: Timeline of a Hack. The State of Security. Retrieved on April 17, 2018 from https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/the-opm-breach-timeline-of-a-hack/

Boyd, A. (2017). OPM CIO Seymour resigns days before Oversight hearing. Federal Times. Retrieved on April 18, 2018 from https://www.federaltimes.com/it-networks/2016/02/22/opm-cio-seymour-resigns-days-before-oversight-hearing/

Cylance. (2017). Understanding the United States Office of Personnel Management OPM Data Security Breach. YouTube Channel – iSecure, LLC. Retrieved on April 22, 2018 from https://www.youtube.com/watch?v=34i_90wu6UI

Koerner, B. (2016). Inside The Cyberattack That Shocked The US Government. Wired.com. Retrieved on April 18, 2018 from https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/

Loveridge, W. (2013). News & Career Advice. How to Complete Your SF-86. ClearanceJobs.com. Retrieved on April 18, 2018 from https://news.clearancejobs.com/2013/04/03/how-to-complete-your-sf-86/

McClurg, J. (2016). Reflections on the OPM Breach. Cylance – Threat Matrix. Retrieved on April 22, 2018 from https://threatmatrix.cylance.com/en_us/home/not-if-but-when-reflections-on-the-opm-breach.html

Moon, M. (2017). Cyber Attack FBI nabs Chinese national linked to massive OPM hack. engadget.com. Retrieved on March 25, 2018 from https://www.engadget.com/2017/08/25/fbi-nabs-chinese-national-opm-hack/

Office of the Director of National Intelligence (2016). Cyber Aware Case Study. Office of Personnel Management. Office of the Director of National Intelligence (DNI). Retrieved on April 22, 2018 from https://www.dni.gov/ncsc/e-Learning_CyberAware/pdf/Cyber_Aware_CaseStudy_OPM.pdf

Perez, E. (2017). FBI arrests Chinese national connected to malware used in OPM data breach. CNN. Retrieved on April 18, 2018 from https://www.cnn.com/2017/08/24/politics/fbi-arrests-chinese-national-in-opm-data-breach/index.html

Risen, T. (2015). China Suspected in Theft of Federal Employee Records. US News and World Report. Retrieved on April 18, 2018 from https://www.usnews.com/news/articles/2015/06/05/china-suspected-in-theft-of-federal-employee-records

Schneier, C. (2017). Plaintiffs Take Just 1 Hour to Appeal Dismissal of Suit Over OPM Data Breach. Retrieved on April 18, 2018 from https://www.usnews.com/news/articles/2015/06/05/china-suspected-in-theft-of-federal-employee-records

U.S. House of Representatives (2016). The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. House Committee on Oversight and Government Reform. Majority Staff Report. Retrieved on April 18, 2018 from https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf

U.S. Office of Personnel Management. (2018). About – Our Agency. Retrieved on April 18, 2018 from https://www.opm.gov/about-us/

U.S. Office of Personnel Management. (2015). OPM Announces Steps to Protect Federal Workers and Others From Cyber Threats. Retrieved on April 21, 2018 from https://www.opm.gov/news/releases/2015/07/opm-announces-steps-to-protect-federal-workers-and-others-from-cyber-threats/

Zetter, K. (2015). The Massive OPM Hack Actually Hit 21 Million People. Wired. Retrieved on April 21, 2018 from https://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/