This report discusses the data breach at the US Office of Personnel Management (OPM), which occurred between 2012 to 2015 and was attributed to APT1. More than 20 million records on US Federal government employees were stolen in what NSA’s senior counsel called the theft of the Government’s crown jewels.
Introduction
In 16th-Century England, Queen Elizabeth I (a protestant) was under constant threat from the Catholics. To keep her safe, she appointed the spymaster Sir Francis Walsingham_. He was said to have a vast spy network all over Europe. Agents infiltrated rebel groups, merchant fleets and even posed as catholic priests. Walsingham’s spies would report back information such as names of rebels and potential plots. Spying carried out by humans like this is known in the intelligence community as HUMINT. With the introduction of the telegraph and radio communications in the late 19th, early 20th Centuries, intelligence agencies adapted and developed signals intelligence (SIGINT) to intercept and decode these communications.
Fast forward to the 21st-Century, and today, SIGINT is the primary method of intelligence gathering. Furthermore, we have seen the development of offensive capabilities by nation-states that break into computers over the internet to steal sensitive or classified information. An early example of this new kind of espionage was the Moonlight Maze attacks of 1998-1999. Russia was attributed to this attack whereby hackers broke into networks at the US Airforce, National Aeronautics and Space Administration (NASA) and universities. Russia reportedly stole military installation maps, hardware designs and other sensitive information (Rid, 2012, p. 15).
This report will discuss the data breach at the US Office of Personnel Management (OPM), which occurred between 2012 to 2015 and has been attributed to China’s Unit 61398 (part of the People’s Liberation Army), also known as APT1 (Mandiant, 2013). This report will also characterise the type of cyber-conflict the OPM attack falls into based on academic definitions. This report will summarise the events relating to the attack with some discussion of attribution and tradecraft. It will discuss the motivation and consequences of the attack, the technical and political response to the attack, and the directive and technical security controls that could have been put in place to prevent or mitigate the attack.
The OPM Data Breach
On the 4th of June 2015, OPM announced the theft of 4.2 million federal government personnel records. The following month, on the 9th of July, OPM announced that there had been a further theft of 21.5 million sensitive personal records stolen in a separate incident. Of this theft, 19.7 million records of individuals that applied for background checks, 1.8 million records of spouses or co-habitants of background check applicants, and 5.6 million fingerprint records (US Office of Personnel Management, 2015). The announcements in the summer of 2015 were the culmination of a series of targeted attacks and thefts which had been carried out as far back as 2012.
The Type of Cyber-Conflict
The OPM breach would be characterised as a cyberwar incident by many academics such as Whyte & Mazanec (2018, p. 99). Cyberwar meaning a “discrete episode … [of] two politically recognisable entities engaged in hostile activities against one another entirely via cyberspace.” Using the more conservative definition of “cyberwar” by Rid (2012, p.20), the incident would only be characterised as cyber-espionage. Cyber-espionage is “an attempt to penetrate an adversarial system for purposes of extracting sensitive or protected information”, and according to Rid, the most common type of political cybersecurity incident.
Why OPM? The Motivation and Consequences of the Attack
OPM is a US Federal Government agency that provides services to other Federal Government agencies for human capital management leadership, benefits and vetting for security clearance. OPM performs background investigations for all prospective government employees, contractors and even federal judges and US Department of Defense personnel. Among the stolen data, the most sensitive was the database from the Electronic Questionnaires for Investigations Processing application (e-QIP). This application stored what was known as Standard Forms (SF) 85, 85P, and 86. These were correspondingly applications for non-sensitive positions, public trust positions, and national security positions (Finklea et al., 2015, p. 4). The SF-86 forms being personnel applications for the highest security clearances in government contain an applicant’s most personal details such as home addresses of the past ten years, home addresses of relatives, employment history (Committee on Oversight and Government Reform US House of Representatives [COGR], 2016, p. vi). The form also included a 127-page questionnaire about the applicant’s finances, illegal or controlled substance usage, relationships and sexual behaviour. The e-QIP data also contained applicant lie detector results and notes (Koerner, 2016). With such a trove of information on personnel with access to government secrets, it is plain to see why OPM was a high-value target for China’s Unit 61398. OPM was a primary target, which explains why there were a series of break-ins dating as far back as July 2012 (since attributed to APT1), with the agency unable to adequately defend itself, which ultimately led to the major incident in 2015 of having 21.5 million records stolen. Access to OPM’s data is extraordinarily beneficial for foreign intelligence, espionage and counter-intelligence. In the reports and analysis post-incident, experts hypothesised on the terrible things China could do or had done with the data, such as:
- Use the data for spear-phishing campaigns (Finklea et al., 2015, p. 4).
- Build a database of federal employees to help identify US officials and their roles. (Finklea et al., 2015, p. 4)
- Help them identify clandestine and covert officers and operations (Finklea et al., 2015, p. 4).
- Use the data for spy-recruiting purposes, knowing who has access to what, where they lived, and their financial circumstances (Koerner, 2016).
- 3-D printing stolen fingerprint data and have foreign operatives use them to bypass biometric security systems (Koerner, 2016).
- Alter existing personnel files or create fictitious personnel that could go undetected (Finklea et al., 2015, p. 4) . Although the Central Intelligence Agency (CIA) had said that their personnel data was not involved in the data breach as they maintain separate systems (Auerbach, 2015), personnel were recalled from the US Embassy in China in 2015 after the breach. Experts say this was because if China could identify all embassy staff involved in the breach, anyone not identified could be exposed as an intelligence agent (Nakashima & Goldman, 2015).
Timeline of the Data Breach(s)
Although the larger of the two significant exfiltrations was traced back to a social engineering attack where an attacker posed as a contractor to have credentials reset, the “exact details of how and when the attackers gained and established persistence… [in the 2012 attack] is not entirely clear.” (Committee on Oversight and Government Reform US House of Representatives (COGR), 2016, p. vii). OPM not knowing when they were compromised was indicative of poor cyber-hygiene and inadequate security technologies. The timeline in Table 1 below provides a summary of key events in the OPM breach.
Table 1, (COGR, 2016, pp. 5-13)
| Date | Event |
|---|---|
| July 2012 | The earliest date found of a “Hikit” rootkit install an OPM server. This malware was not discovered until March 2014. This was dubbed the “X1 hack”. |
| 7 May 2014 | Attacker poses as a contractor employee to gain OPM network credentials, remotely accesses OPM network, and uses privilege escalation (Mimikatz) on a jumphost and installs PlugX malware to establish a foothold in the network. The malware creates a backdoor which beacons out to opmsecurity.org. This goes unnoticed by OPM and US-CERT until March 2015. This was dubbed the “X2 hack”. |
| 27 May 2014 | OPM shutdowns compromised systems to get intruders out of the network after discovering keyloggers installed on several database administrator’s computers. This should have been a warning sign that attackers were going after critical databases. The Hikit infections was removed, and OPM reported that it had kicked out the intruders, but unbeknownst at the time, the PlugX RAT foothold remained undetected. |
| July - August 2014 | Attackers successfully exfiltrate the eQIP data from OPM systems of 21.5 million via opmsecurity.org. This would not be known until May 2015, and not |
| December 2014 | 4.2 million personnel records are exfiltrated from the ‘DOI’ database. This was the breach publicly reported on the 4th of June 2015. |
| March 2015 | Fingerprint data was exfiltrated. |
| 16 April 2015 | OPM security contractor notifies US-CERT about suspicious network activity to opmsecurity.org. |
| 16 April -25 April 2015 | OPM engages Cylance and deploys CylanceProtect. The tool “lights up like a Christmas tree. Cylance CEO quoted saying “their [OPM] f**ked BTW.” (Koerner, 2016). Security contractor CyFIR is also engaged on a handshake agreement who ultimately bill $800,000 worth of work they are never paid for (Fruhlinger, 2020). |
| 23 April 2015 | OPM declares a “major incident” involving the exfiltration of personnel data and notifies Congress. |
| 25 April – 26 April 2015 | A powergrid modernisation project shutdown over the weekend allows OPM to remove the X2 hacker over the weekend. |
| May 2015 | US-CERT establishes with a high degree of confidence that exfiltration of the eQIP database occurred between July and August 2014 |
| 4 June 2015 | OPM publicly discloses the compromise of 4.2 million records of current and former federal employees. |
| 9 July 2015 | OPM publicly discloses a further 21.5 million records were stolen, and 5.6 million fingerprint records. |
Attribution and Tradecraft
China’s Unit 61398 is an Advanced Persistent Threat (APT) and was given the codename ATP1 by Mandiant (formerly FireEye). ATP1 have conducted cyber-espionage campaigns as early as 2006, targeting both corporations and governments to steal information. As with other APTs, they are sophisticated nation-state attackers with thousands of staff and servers (Mandiant, 2013 p. 3). APTs develop their own brand of tooling and methodologies which can be used to determine attribution. All of the discovered intrusions at OPM between 2012 and 2015 can be attributed to APT1.
Attribution to APT1 is based on several grounds. Firstly, the domain names registered as the command and control servers (C&C, also known as C2) were opmlearning.org and opmsecurity.org. The whois registrant on these domains was Tony Stark and Steve Rodgers, respectively. The use of Avengers-themed names is a trademark of APT1, which has also been used in other attributable attacks such as the theft of personal data from health insurer Anthem. Furthermore, the IP addresses also point to known Unit 61398 netblocks traced to a building in Shanghai (Koerner, 2016).
In addition, the use of the Hikit rootkit used in the X1 hack is uniquely linked to use by the “Axiom Group”, a known elite hacking team within APT1. Although the use of the PlugX remote administration tool (RAT) used in the X2 attack alone is not sufficient enough alone to positively identify APT1, it is indicative. Other tools such as Mimikatz used to obtain domain administrator privileges are in common use not attributable to APT1. (COGR, 2016, p. 162)
The Aftermath
Whether the claimed success of the X2 attack was repelled successfully is unknown. The pivotal point in the OPM story was that once breaches were reported to Congress, there was major political fall out which led to the resignation of the OPM Director almost immediately after a painful Congress hearing, and the OPM CIO resigned the day before they were scheduled for another Congressional hearing in September 2015. In addition, there were several extensive reports (at least two of them made public) on the matter, which came with 13 key recommendations on what should be done to prevent similar events occurring in future. (COGR, 2016)
Recommendations
The COGR (2016, pp.20-28) report made thirteen recommendations. Only one of the thirteen recommendations was a technical control, being that federal information systems to move towards a “zero trust model”, where users inside the agency networks are treated in the same way that external users and that unfettered network access stops and only approved traffic flows occur. The use of multi-factor authentication was absent as this was a long-standing recommendation implemented (at least in part) by OPM after the X2 hacker had infiltrated the network. Several recommendations were on improving funding and access funds for cybersecurity in agencies. The other significant policy and directive control recommendations were:
- Ensuring Agency CIOs are empowered, accountable, competent and retained for at least five years.
- Reducing the amount of sensitive information Federal systems hold, the report indicates an over-reliance on the use of Social Security Numbers.
- Improving information sharing among agencies and in partnership with private industry for threat detection.
- Uplifting security on legacy systems identified as critical.
Conclusion
The OPM data breach was a significant turning point in how the US Government treats cybersecurity policy. Of the thirteen recommendation in the COGR Report is unclear how many have been fully implemented by the Government and federal agencies, further research in this area is required. The OPM breach has jeopardised US national security for a generation of Federal government personnel. The breaches have been described by former National Security Agency (NSA) senior counsel Joel Brenner as the theft of the Government’s “crown jewels” and a “gold mine for foreign intelligence agencies”. To date stands as one of the largest thefts of US Government personnel data and a “significant blow to US intelligence agencies”.