Office of the Personnel Management (OPM) Data Breach: A Case Study

WHAT HAPPENED IN THE OPM DATA BREACH

    As the relationship between humanity and technology develops, an emergent area of concern lies in the security of the information ferried over and handled by this technology. A myriad of information security and data breaches reported upon by news media in the recent past has had the simultaneously fortunate and unfortunate effect of bringing information and network security into the public consciousness. One such incident was the United States (US) Office of the Personnel Management (OPM) data breach.

    While there are many aspects of the OPM data breach that are notable, chief among them is that the perpetrator of this data breach has been widely attributed to China. As China increases its economic clout and develops its technological capabilities, its international presence is becoming more and more pronounced—and not always in the best light. Sanger (2018) has noted that by 2009, Google executives had noticed state-sponsored Chinese hackers inside their networks (p. 107). Google is not the only victim. Since 2009, Goldsmith (2015) has documented no fewer than twenty cyberattacks on US organizations that range from airlines (United and American Airlines) to the energy sector (SolarWorld, Westinghouse), media outlets (New York Times) to research and development (R & D) entities (Penn State University and NASA). These attacks are all widely attributed to China. Furthermore, as recent as last year, the New York Times (Sanger, Perlroth, Thrush & Rappeport, 2018) has reported that not only has there been another large-scale US data breach—this time it was the Marriott chain of hotels—but that this was also attributable to Chinese attackers. As such, there is evidence to suggest that the OPM data breach is only one of several of its kind. Albeit significant and expansive in scope, presumably, it is only

    one of many operations designed and implemented to serve China’s foreign policy. In looking at the OPM data breach in context with other attacks of a similar nature, the patterns established not only reify many of the ideas and concepts discussed by Classical Strategists such as Sun Tzu, Thucydides, Clausewitz and Corbett, but they also suggest a worrying trend in US-China relations that, if mismanaged, could lead to unwelcome internecine escalation.

    News of the OPM data breach first rattled the public in the middle of 2015. Yet, inklings of the incident were reported as early as July of 2014 (Schmidt, Sanger & Perlroth, 2014). Whereas Washington, in 2014, confidently stated that they had “no reason to believe personally identifiable information for employees was compromised” (Schmidt et al., 2014) in the OPM cyberattack in November 2013, by 2015, the winds had shifted drastically. The initial report of the hack on OPM was presented as fairly innocuous: it involved the stealing of “manuals about OPM IT assets” (Sternstein & Moore, 2015). The perpetrators of this hack were dubbed X1 (Fruhlinger, 2018). However, later discoveries indicated that by December of 2013, hackers had successfully infiltrated two of OPM’s contractors, US Investigation Services (USIS) and KeyPoint Government Solutions. The attackers had been in “both contractors’ systems for months before being detected.” (Sternstein & Moore, 2015) It is believed that these attackers, dubbed X2, had used stolen credentials from KeyPoint to access OPM servers. According to Fruhlinger, (2018) once X2 had accessed OPM servers and gained root access, it not only had access to all of OPM’s networks, but it was also then able to install a variant of the PlugX malware, “a remote-access tool commonly deployed by Chinese-speaking hacking units” (Koerner, 2016). By May of 2014, X2 intruders had successfully accessed past and present personnel files (Koerner, 2016).

    It was almost fortuitous and by chance that the Americans discovered this data breach. As Koerner (2016) has reported, on the morning of April 15, 2015, an OPM security engineer, Brendan Saulsbury, had uncovered some outbound traffic going to a domain named “opmsecurity.org”. This was peculiar because OPM did not own this domain. Further investigation by Saulsbury and his colleagues revealed that the source of the outbound traffic came from a file named “mcutil.dll” (Koerner, 2016) which is the name of a customary component of proprietary McAfee security software. This would be fine if OPM used McAfee security software, but OPM did not. Saulsbury and his colleagues would later find that mcutil.dll was a cloak intended to hide a piece of malware that gave an intruder access to the OPM servers. (Koerner, 2016) Further investigation revealed that the malicious actor had installed approximately 2000 different pieces of malware over OPM’s network (Koerner, 2016). Yet, further investigation into the domain “opmsecurity.org” (Koerner, 2016) revealed that it was registered to Steve Rogers, the civilian name of the Marvel character Captain America. Furthermore, “opmsecurity.org” (Koerner, 2016) was shown to have been registered in April 25, 2014, which meant that traffic could have been going to this domain for a whole year. All signs were pointing to foul play.

    As the story developed, revelations about the OPM data breach proved worrisome. As Segal (2018) has reported, this data breach affected “22 million records, including security background checks and data on intelligence and military personnel, as well as the fingerprint data of 5.6 million people.” (p. 115) Not only did the OPM data breach include Standard Form 86 (SF-86)—a comprehensive 127-page screening form that anyone who seeks a security clearance with the American government is required to complete—but this data breach also, according to Adams (2016), included “clearance adjudication information”. This information is used to determine “eligibility for access to classified information” (Adams, 2016) and is even more expansive and probing than the scope of SF-86. Data from SF-86 forms could include sensitive and personal pieces of information such as family details, social security numbers, foreign relationships, travel history and the mental and physical health of person (Inklea, Christensen, Fischer, Lawrence, & Theohary, 2015). Yet, clearance adjudication information could be even more probing “rang[ing] from information on ‘sexual behavior’ that ‘reflects lack of discretion or judgement’ to evidence of ‘foreign influence’ ”. (Adams, 2016) Furthermore, “a simple Top Secret single-scope background investigation includes a ‘Personal Subject Interview’ and ‘interviews with neighbors, employers, educators, references and spouses/cohabitants.’ ” (Adams, 2016)

    In investigating the malware and trying to piece together the actions of X1 and X2 and what they had stolen, the evidence seemed to suggest that X1 and X2 were attributable to China. Digital footprints left by X1 and X2 hackers such as destination “IP addresses… [and] telltale email accounts” (Koerner, 2016) strongly suggest that the source of the attack is China. Furthermore, around the same time that the OPM data breach occurred, American healthcare insurer Anthem experienced a similarly large-scale data breach involving the medical records of 80 million Americans (Goldsmith, 2015). Investigations into the Anthem data breach revealed a similarity: traffic going to a domain, not registered to Anthem, but to a Tony Stark, the civilian handle of Marvel’s Iron Man. What is even more damning is that the domain was called “opm-learning.org” and this data breach was largely attributed to China as well (Koerner, 2016). Furthermore, several characteristics about these data breaches also suggest that they are state-sponsored attacks: (1) The exfiltrated data—from both OPM and Anthem—has not appeared on the Internet or been sold for commercial gain (Inklea et al., 2015). (2) The expansive scope of these data breaches coupled with the attackers’ persistence suggests motives beyond petty crime. As previously mentioned, the OPM network had over 2000 different pieces of malware installed over various parts of the network. Such redundancy is suggestive of a state-sponsored attack as it is significantly less likely that a private actor would expend such time, effort or resources let alone have access to such resources.

Note: For Complete report "Analyzing US-China Relations through the Lens of Classical Strategy Office of the Personnel Management (OPM): A Case Study" Please contact either of the Authors.

Credit:

Carmen Wong

Charvik Patel

Gordon Bazinet

References:   

    Adams. M. (2016, March 11). Why the OPM hack is far worse than you imagine. Lawfare. Retrieved from https://www.lawfareblog.com/why-opm-hack-far-worse-you-imagine

    Fruhlinger, J. (2018). The OPM hack explained: bad security practices meet China’s Captain America. CSO. Retrieved from https://www.csoonline.com/about/about.html

    Gidda, M. (2013). Edward Snowden and the NSA files. The Guardian. Retrieved from https://www.theguardian.com/world/2013/jun/23/edward-snowden-nsa-files-timeline

    Goldsmith, J. (2015). Disconcerting US cyber deterrence trouble continues. Lawfare. Retrieved from https://www.lawfareblog.com/disconcerting-us-cyber-deterrence-troubles-continue

    Inklea, K., Christensen, M., Fischer, E., Lawrence, S., & Theohary, C. (July 17, 2015). Cyber intrusion into US Office of Personnel Management: In Brief. Congressional Research Service. Retrieved from https://fas.org/sgp/crs/natsec/R44111.pdf

    Koerner, B. I. (2016, October 23). Inside the cyberattack that shocked the US government. Retrieved from https://www.wired.com/2016/10/inside-cyberattack-shocked-us- government/

    Macias, A. (2018). The extraordinary reading habits of defense secretary James Mattis. CNBC. Retrieved from https://www.cnbc.com/2018/09/13/defense-secretary-james-mattis- extraordinary-reading-habits.html

    Maurer, T. (2018). Cyber mercenaries: the state, hackers, and power [Amazon Kindle version]. Cambridge: Cambridge University Press. Retrieved from Amazon.com

    McGee, M. K. (2017). A new in-depth analysis of anthem breach. Bank Info Security. Retrieved from https://www.bankinfosecurity.com/new-in-depth-analysis-anthem-breach-a-9627