Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

China: Chinese Criminals Hacked OPM

American Experts Skeptical About Chinese Claim of No Government Involvement
China: Chinese Criminals Hacked OPM

The Chinese government concedes the attack on U.S. Office of Personnel Management computers emanated from China, but it contends the culprits were criminals, not individuals working for the Chinese government or military. Some experts in the United States aren't buying the Chinese government's explanation.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

The acknowledgement that the attack originated in China appeared deeply buried in a Dec. 1 report by Xinhua, the state-run news agency, about cybersecurity talks conducted this week between high-level Chinese and American government officials.

"Among the cases discussed included the one related to the alleged theft of data of the U.S. Office of Personnel Management by Chinese hackers," Xinhua reports. "Through investigation, the case turned out to be a criminal case rather than a state-sponsored cyberattack as the U.S. side has previously suspected."

Xinhua provided no other details on the alleged criminal attack on OPM.

Arrests Reported

However, late on Dec. 2, the Washington Post reported that the Chinese government arrested a handful of hackers it says were connected to the OPM breach. But the report said the identities of the suspects - and whether they have any connection to the Chinese government - remain unclear.

"We don't know that if the arrests the Chinese purported to have made are the guilty parties," one U.S. official, who like others interviewed spoke on condition of anonymity because of the subject's sensitivity, told the Post. "There is a history [in China] of people being arrested for things they didn't do or other 'crimes against the state.' "

The breach exposed the personal information of 21.5 million people, many with top security clearances. Some U.S. experts familiar with Chinese cyber activities expressed skepticism that the attack was not state-sponsored, saying they could understand the motivation for the government or military to seek information on millions of Americans with security clearances, but could not see a motivation for criminals to access the information.

Experts: Criminal Attack Evidence Lacking

"The explanation I've heard - some criminal stumbled into the database - makes no sense," says Martin Libicki, senior management scientist at the think tank Rand Corp. "Remember, OPM is not a lone incident: it was part of a pattern that included an earlier sally into OPM, but also USIS, Anthem, Premera, American Airlines and United. Furthermore, I've not heard of any of the data finding its way into black markets, which is otherwise standard with criminal cyberattacks."

Cybersecurity author Richard Stiennon also has not seen any evidence criminals were behind the OPM attack. "Cybercriminals start to use stolen identity data almost immediately while it is still fresh and credit protections are not put in place," he says. "I have seen no evidence of this activity. That points to another class of actor, a nation state."

Still, Stiennon says, the stolen OPM data could be valuable to identity thieves for the purpose of blackmail in certain cases. "Once again," he says, "no evidence for that."

Council on Foreign Relations David Fidler addresses the skepticism surrounding the Chinese claim that criminals hacked OPM servers.

Shortly after the OPM breach was revealed in June, top U.S. government officials said they suspected the Chinese government or its Peoples Liberation Army were behind the attacks. Director of National Intelligence James Clapper pointed to China as the prime suspect (see OPM Breach: China Leading Suspect). "Don't take this the wrong way," Clapper at told the Geoint Security conference in June. "You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don't think we'd hesitate for a minute."

Close Ties with Criminals?

Security consultant Robert Bigman, former CISO at the CIA, doesn't dismiss the contention that criminals conducted the attack, but believes the Chinese government would have known about it, and perhaps approved the assault. "The Chinese government has an intimate relationship with criminal elements, and I do not believe that they would have taken on this activity without government direction and support," Bigman says.

IT security consultant Patrick Gray, a retired FBI special agent and former principal security strategist at Cisco, says China's control of the Internet within its borders - the Great Firewall of China - means officials monitor the online activities of its citizens. "With the rules and availability of Internet access in China, I would doubt that free-ranging hackers in China would have the access necessary to conduct not only the scanning necessary to learn about your target's network but the actual attacks themselves," Gray says.

Blaming criminals for the breach diverts attention from the consistent claim of the Chinese government that it doesn't conduct cyber-espionage. "They really want to put this OPM issue behind them in terms of the dialogue with the United States on cyber and other issues, so this is one way to try to do that from their perspective," says David Fidler, an adjunct senior fellow for cybersecurity at the Council on Foreign Relations.

Fidler says the Chinese believe if they fault criminals for the OPM breach, U.S. and China "can move on" in their cyber relationship. "It's consistent with the way China has presented its policies and its behavior, but I doubt very much whether the U.S. government buys this story."

Evolving Relations

Still, some experts say the fact that the Chinese government admits the hack originated in China should be seen as progress. "The real news is that China does not dispute that Chinese persons were behind the attacks," says Bruce McConnell, a former cybersecurity official at the Department of Homeland Security.

And a former White House cybersecurity adviser adds that at least the Chinese didn't blame the U.S. government for the OPM breach. "That's progress," the ex-official says. "We're not in a relationship that will change overnight, but it's changing pretty fast."

Attorney General Loretta Lynch and Homeland Security Secretary Jeh Johnson this week have been meeting with Chinese State Councilor and Minister of Public Security Guo Shengkun to improve relations on cyber matters. Neither the Justice Department nor DHS immediately responded to requests for comment on the meetings and China's claim the attack on OPM systems were not state sponsored.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.