Analysis: Why the OPM Breach Is So BadPersonal Secrets at Risk After Background Forms Exposed
Digital forensic investigators still do not know the full scope of the U.S. Office of Personnel Management intrusion, due to the agency's poor security controls and logging. But every piece of private information that U.S. government workers and contractors disclosed for security-clearance reviews may have been stolen in the breach.
The OPM hack may have been the work of attackers with ties to Chinese espionage agencies, thus putting federal employees at greater risk of being recruited or coerced by a foreign power into spying on the United States (see OPM Breach: China Is 'Leading Suspect').
That is the bleak portrait painted by weeks of the White House continuing to release piecemeal details about the OPM breach, as well as recent testimony before Congress.
"Is OPM about as bad as it can possibly be? No, it's worse. The Chinese know [now] everything the [government] learned," the operational security expert known as the Grugq says via Twitter. He notes that Chinese spies may have been in possession of - and utilizing - this information for the past year to recruit targets or blackmail them into cooperating. "In espionage they talk about susceptibility and vulnerability as the two angles to explore for recruitment. China has all that data now."
Gavin Millard, a technical director for Tenable Network Security, says that the apparent quantity of stolen information - including detailed SF-86 federal background investigation forms - is mind-boggling:
If you printed out the 14 million SF86 forms lost in the OPM breach, the stack would be approximately 185 miles high. #infosecï¿½ Gavin Millard (@gmillard) June 27, 2015
Published judgments from the Defense Department's Defense Office of Hearings and Appeals offer insights into the types of information that would be contained in these background forms, and from related investigations. In one case, for example, a man's clearance application was rejected because he owed four mortgage debts on three condominiums, totaling $1.8 million in debt, of which $500,000 remained unresolved. "Applicant did not make sufficient progress resolving this $500,000 judgment," a judge ruled. "Eligibility for access to classified information is denied."
Other judgments highlight how the information is these background forms includes details of sexual behavior, extra-marital affairs, and binge alcohol consumption. One judgment described a man who was convicted of two felonies for shooting his son in the leg after wrestling with him during a fight.
What's not yet known is how the OPM breach happened. That's due, in part, to the paucity of log-related data available to investigators, says Ann Barron-DiCamillo, director of the U.S. Computer Emergency Readiness Team, which is part of the U.S. Department of Homeland Security.
Many government agencies only retain logs for 60 days, Barron-DiCamillo says, and government investigators believe that the OPM breach started a year ago. As a result, details of the initial intrusion and 10 months of data exfiltration may be lost, thus complicating efforts to ascertain exactly what data was exposed during the breach. "A lot of the forensic evidence we need to be able to come up conclusively with those numbers [of victims] is just not there," Barron-DiCamillo tells ABC News. "And so the investigators have a really hard time trying to piece all that information together."
A November report from the OPM's inspector general warned that "OPM does not maintain a comprehensive inventory of servers, databases and network devices," and thus did not know what was connecting to each of those. The inspector general also questioned the connections in place between OPM and the contractors that "operate 22 of the agency's 47 major applications," noting that related weaknesses could lead to "security failures."
OPM Found Breach
To OPM's credit, the agency itself discovered the breach in April, Barron-DiCamillo told the House Committee on Oversight and Government Reform committee on June 24. Furthermore, OPM made that discovery by using a new, DHS-recommended tool, the name of which she did not offer. But after that, she said, the U.S. government used the breach signatures to update its Einstein intrusion detection system so it could help other U.S. agencies spot or block similar attacks. Barron-DiCamillo also added that government investigators first discovered that background-check forms may have been exposed by the breach in early June.
Once in the OPM networks, Reuters - citing anonymous sources - reports that attackers used a malicious remote-access tool called Sakula, which was the focus of a June 5 FBI Flash Alert. Threat-intelligence research firm ThreatConnect earlier this year reported that Sakula was used in the breach of health insurer Anthem, as well as in a failed phishing attack against U.S. defense contractor VAE (see Anthem Attribution to China: Useful?).
Ground Zero: KeyPoint?
Investigators believe that attackers gained access to the OPM systems by first stealing OPM access credentials from an employee of KeyPoint Government Solutions, the company's CEO, Eric Hess, last week confirmed to the House committee. KeyPoint, a government contractor, provides background-check services for OPM.
But investigators are not sure how those OPM credentials were obtained from the KeyPoint employee, although it is possible they were stolen during a breach of KeyPoint's network that ran from the fall of 2013 until August 2014, when a government team came onsite at the company to investigate, US-CERT's Barron-DiCamillo told the House committee. But that US-CERT team was not able to ascertain how hackers infiltrated KeyPoint, exposing personal data for 27,000 people. "They entered the network - we're not quite sure how, because of a lack of logging," Barron-DiCamillo told the House committee.
Exposed: Federal Workers
Federal workers have continued to voice frustration over the slow pace of the OPM investigation. They've also voiced complaints that the breach exposed not just their information, but also personally identifiable information for their families, friends and acquaintances. And they have complained that the prepaid identity theft monitoring services that the federal government is offering them will not repair the leak of personal secrets. The government also has yet to notify non-federal employees and contractors whose information may have been breached because it was included in an SF-86 form.
"The questions on the SF-86 require that I list the names, addresses and dates of birth for my family and the Social Security number for my husband," one ISMG reader notes. "They also require the names, addresses and telephone numbers of people who know me well and those who can verify my residence and employment. Who is going to notify my family, friends and neighbors of this breach? Me?"