Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
OPM Breach: The Unanswered Questions
Scope, Attribution, Impact Remain UnclearMany questions remain unanswered about the data breach at the U.S. Office of Personnel Management that may have exposed personal information for 4 million current and former government workers.
See Also: Gartner Market Guide for DFIR Retainer Services
The FBI has confirmed that it's investigating the intrusion, which was revealed June 4 when the OPM posted a breach notification on its website. The office said it discovered the intrusion in April as it was continuing to update its information security defenses.
Here are seven key questions related to this rapidly unfolding story:
Exclusive Webinar: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs
1. What is the scope?
Thus far, the OPM only says that 4 million individuals' "personally identifiable information was potentially compromised," and that the breach was detected after the agency added unspecified "tools and capabilities to its networks." But some anonymous government sources quoted in various news reports have said that the breach appears to have begun in December, and that the data exposure was extensive. "This is deep. The data goes back to 1985," one U.S. government official, speaking on condition of anonymity, told Reuters. "This means that they potentially have information about retirees, and they could know what they did after leaving government."
In the wake of the breach, OPM said that it began using anti-malware tools, limiting remote access for network administrators and restricting remote network administration functions. Mark Weatherford, a former head of cybersecurity for the Department of Homeland Security, criticized OPM for not already having such basic security defenses already in place (see Dissecting the OPM Breach).
2. Was background investigation data compromised?
The OPM's Federal Investigative Service reportedly handles about 90 percent of the federal government's background investigations, and keeps on file related SF-86 forms filed by federal employees, which include a variety of personal details, including the names of family and friends to even college roommates, ABC News reports.
The OPM suffered a prior breach last year that appeared to target those security clearance records, which could be used to amass data required to hack - or reset passwords - for targets' online accounts (see U.S. Government Personnel Network Breached). But it's not yet clear precisely what data was targeted in the latest attack.
The OPM also was the subject of a scathing November report from the agency's inspector general, who said that the security lapses surrounding the databases used by the Federal Investigative Service were so severe that they should be temporarily shut down on "national security" grounds, given the poor state of related information security defenses.
3. Is there a link to Anthem breach?
Some security experts claim they see signs that the OPM breach is connected to the breach of healthcare insurer Anthem, which may also have begun in December, and which was detected in January. A new report from ThreatConnect, a threat intelligence product and services vendor, says that in February, the firm discovered an attack infrastructure that appeared to have been designed to mimic the networks of Anthem - formerly known as Wellpoint - and federal contractor VAE, which appeared to have been put in place by a Chinese university team (see Anthem Attribution to China: Useful?). Anthem later confirmed that it had been breached, while VAE reportedly repelled phishing attacks.
But ThreatConnect said in a June 5 blog post that it also found "a peculiar related OPM-themed domain, opm-learning.org," as well as "opmsecurity.org." As with the Anthem and VAE attack sites, both of the apparent OPM attack domains were registered using a pseudorandom, 10-digit email address name registered to the gmx.com domain. Likewise, Marvel Avengers-themed names - "Tony Stark," "Steve Rogers" - were used for the domain name owners. "We've documented the pseudorandom gmx registrant email tactic in the past, and our partners at CrowdStrike were the first to detail the Avengers theme," ThreatConnnect says. "Both are known to be telltale signs of Chinese APT activity."
4. Would advanced technology have helped?
All federal civilian agencies, including OPM, have deployed the Einstein 2 intrusion detection system from DHS. Most, however, have yet to implement the newer Einstein 3A system, which includes breach-prevention features. An OPM spokesman did not immediately respond to a request for comment about whether Einstein 3A was in place at the agency. White House Press Secretary John Earnest, in a June 5 briefing, did not specify which Einstein system was in place at OPM.
5. Are attackers building PII database?
Some security experts suspect that over the past 12 to 18 months, attackers operating from China have been hacking multiple sources to build databases of information relating to U.S. residents, potentially for espionage purposes.
"They're definitely going after quite a bit of personnel information," Rich Barger, chief intelligence officer of ThreatConnect, tells The Washington Post. "We suspect they're using it to understand more about who to target [for espionage], whether electronically or via human recruitment."
6. Can attribution be believed?
Many news outlets have quoted anonymous sources saying that the OPM breach appears to have been executed from China. But attributing attacks back to their source remains incredibly challenging. Indeed, while the FBI took the unusual step of attributing the 2014 Sony hack to "North Korea actors," numerous information security experts have continued to question those assertions, based on the evidence that has been publicly detailed to date.
But the White House has already warned that if it can identify the related culprit involved in the OPM breach, it may apply sanctions. "You'll recall that back in April, the president, using his executive authority, signed an executive order giving the Treasury Department additional authority to use economic sanctions to punish or hold accountable those who are either responsible for a cyber-intrusion, or are benefitting from one," Earnest said. "This is an example of the president using his executive authority in a way that reflects and demonstrates his comprehension of how significant the cyber risk is right now."
But Jeffrey Carr, CEO of threat-intelligence firm Taia Global, says it is now a cliché that in the wake of a breach, anonymous sources will focus on one of two culprits - China for government data theft, Russia when banking data gets stolen. Carr has also warned that public attribution by officials may be politically driven, and that attribution in these cases serves little purpose, other than to redirect focus away from the quality of the breached organization's defense.
7. Are Chinese denials believable?
News of the potential OPM data exposure precedes the annual U.S.-China Strategic and Economic Dialogue, to be held June 22-24 in Washington. Cybersecurity has been a frequent topic of discussion at those meetings.
China's foreign ministry spokesman Hong Lei, without denying responsibility for the OPM breach outright, has also criticized attempts to rapidly attribute the attack to anyone. "Without the thorough investigation, you jump to a conclusion so quickly. We think it is not scientific and is irresponsible," he told NBC News.
"We hope the United States side could discard this kind of suspicion and stop groundless accusations. We would like to see more trust and cooperation from the U.S.," he added. "We hope the United States side could discard this kind of suspicion and stop groundless accusations. We would like to see more trust and cooperation from the U.S."