Anti-Malware , Breach Response , Cybersecurity

Report: OPM Breach Found During Demo

Anti-Malware Tool Demonstration Reportedly Found Intrusion
Report: OPM Breach Found During Demo

The massive data breach at the U.S. Office of Personnel Management reportedly wasn't discovered by U.S. government sleuths - or the Department of Homeland Security Einstein intrusion detection system - but rather during a product demo.

See Also: Data Center Security Study - The Results

Specifically, an April sales demonstration by Virginia-based CyTech Services of its digital forensics platform called CyFIR, which it used to scan the OPM network, unearthed a malware infection, which investigators now believe is tied to a network intrusion that began at least a year ago, The Wall Street Journal reports.

Neither CyTech Services nor an OPM spokesman immediately responded to a request for comment.

Exclusive Webinar: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

If true, the fact that a third-party anti-malware product detected an intrusion - while Einstein did not - calls into question current federal information security practices and the defenses that OPM director Katherine Archuleta did or did not require to be in place (see Dissecting the OPM Breach). It is also the second known breach that OPM suffered in less than a year, and followed breaches that have been tied to the theft of millions of records from U.S. health insurers Anthem and Premera Blue Cross. As with the OPM breach, some government officials - in anonymous interviews - have ascribed those health insurer attacks to Chinese hackers (see OPM Breach: The Unanswered Questions).

Following the latest OPM breach, the White House, which first publicly disclosed the intrusion June 4, has sought to deflect any related criticism. "We have known for a long time that there are significant vulnerabilities and that these vulnerabilities are going to accelerate as time goes by, both in systems within government and within the private sector," President Obama said earlier this week in a news conference. "Part of the problem is that we've got very old systems. And we discovered this new breach in OPM precisely because we've initiated this process of inventorying and upgrading these old systems to address existing vulnerabilities. ... And this is going to be a big project and we're going to have to keep on doing it, because both state and non-state actors are sending everything they've got at trying to breach these systems."

Mapping Social Networks

Why steal data on federal employees? Members of Congress, in recent classified briefings, have been told that Chinese attackers may in part have been attempting to map social and professional networks of government employees - high-ranking or otherwise - by harvesting information from forms filed by federal employees who are seeking a security clearance, which were not being stored in encrypted format, The New York Times reports. In those 127-page SF-86 background-investigation forms, federal employees, including senior members of the State Department, are required to list not just friends and relatives, but all foreigners with whom they have had contact.

Given the sheer amount of information that may have been exposed to attackers, Chinese or otherwise, the impact of this data breach may well exceed the damage of WikiLeaks releasing 250,000 secret State Department cables, the Times reports. Indeed, the exposed OPM data relates to all non-intelligence and non-military employees, meaning that everyone from FBI agents and Secret Service personnel to cabinet officials and President Obama may be counted among the victims, ABC News reports.

Experts also say the information harvested via the OPM breach could now be used for espionage purposes, including attempts to blackmail officials or experts into spying. "They are pumping this through their databases just as the NSA pumps telephone data through their databases," James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, tells the Times. "It gives the Chinese the ability to exploit who is listed as a foreign contact. And if you are a Chinese person who didn't report your contacts or relationships with an American, you may have a problem."

Unions Seek Breach Transparency

Following the data breach, meanwhile, federal employees are demanding to know more. The American Federation of Government Employees (AFGE) union, which represents 670,000 employees, on June 11 alleged that the White House has yet to detail the full extent of the breach, on the grounds of the related "ongoing criminal investigation." While admitting that it does not have access to details of that investigation, the union nevertheless believes that Social Security numbers, among other personally identifiable information, were exposed for all current, and many former, federal workers.

In a letter to OPM director Archuleta, AFGE President J. David Cox said that based on the incomplete information that the union has received from OPM, "We believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees."

Meanwhile, the National Federation of Federal Employees (NFFE), which represents more than 110,000 government employees across the country, says that the 18 months of identity theft monitoring services that OPM promised to employees - at a cost of $20 million - which was to commence June 8, as yet remains unavailable. "We want to start seeing real answers to the legitimate and numerous concerns of exposed federal employees," NFFE National President William Dougan says in a statement. "While we understand there is immense complexity with reviewing a cyberattack, the response to this point has been inadequate. There needs to be far more transparency and support provided in this trying time for federal employees."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network