Office of Personnel Management data breach (2015): Difference between revisions

From International cyber law: interactive toolkit
Jump to navigation Jump to search
No edit summary
m (Fluency, grammar etc.)
 
Line 1: Line 1:
 
{| class="wikitable"
 
{| class="wikitable"
 
! scope="row"|Date
 
! scope="row"|Date
| The exact date of the breach into Office of Personnel Management servers is unknown. Nevertheless, malware resided on the servers at least since 2012 and the earliest known malicious activity so far disclosed dates back to November 2013. The gravest part of the attack – an exfiltration of background investigation and personal data – was carried out between June 2014 and March 2015. The attack was not completely blocked until 30 June 2015.<ref>[https://archive.org/stream/ReportFromTheCommitteeOnOversightAndGovernmentReformOnTheOPMBreach/Report%20from%20the%20Committee%20on%20Oversight%20and%20Government%20Reform%20on%20the%20OPM%20Breach_djvu.txt “Report from the Committee on Oversight and Government Reform on the OPM Breach”] (September 7, 2016), Committee on Oversight and Government Reform, U.S. House of Representatives.</ref>
+
| The exact date of the breach into Office of Personnel Management servers is unknown. Nevertheless, malware had been residing in the servers since at least 2012 and the earliest known malicious activity so far disclosed dates back to November 2013. The gravest part of the attack – an exfiltration of background investigation and personal data – was carried out between June 2014 and March 2015. The attack was not completely blocked until 30 June 2015.<ref>[https://archive.org/stream/ReportFromTheCommitteeOnOversightAndGovernmentReformOnTheOPMBreach/Report%20from%20the%20Committee%20on%20Oversight%20and%20Government%20Reform%20on%20the%20OPM%20Breach_djvu.txt “Report from the Committee on Oversight and Government Reform on the OPM Breach”] (September 7, 2016), Committee on Oversight and Government Reform, U.S. House of Representatives.</ref>
 
|-
 
|-
 
! scope="row"|Suspected actor
 
! scope="row"|Suspected actor
|Unknown state-sponsored group working for Chinese government.<ref>Josh Fruhlinger, [https://www.csoonline.com/article/3318238/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html “The OPM hack explained: Bad security practices meet China's Captain America”] (November 6, 2018), CSO.</ref><ref>Ian Smith, [https://www.fedsmith.com/2018/09/21/bolton-confirms-china-behind-opm-data-breaches/ “Bolton Confirms China was Behind OPM Data Breaches”] (September 21, 2018), FedSmith.com.</ref>
+
|Unknown state-sponsored group working for the Chinese government.<ref>Josh Fruhlinger, [https://www.csoonline.com/article/3318238/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html “The OPM hack explained: Bad security practices meet China's Captain America”] (November 6, 2018), CSO.</ref><ref>Ian Smith, [https://www.fedsmith.com/2018/09/21/bolton-confirms-china-behind-opm-data-breaches/ “Bolton Confirms China was Behind OPM Data Breaches”] (September 21, 2018), FedSmith.com.</ref>
 
|-
 
|-
 
! scope="row"|Target
 
! scope="row"|Target
Line 13: Line 13:
 
|-
 
|-
 
! scope="row"|Method
 
! scope="row"|Method
|It's not entirely clear how attackers gained access to OPM's networks. In the first phase an attacker (A1) used a domain registered in the OPM server and exfiltrated IT system architecture and manuals. OPM found out about A1’s malicious activity and began to monitor it. Later, another separate attack was carried out by an attacker (A2) associated with A1 who posed as a background investigations contractor KeyPoint and, using an OPM credential, remotely accessed OPM’s network and installed PlugX malware to create a backdoor. On 27 May 2014 the OPM shut down its compromised systems in an effort to avoid more severe breach by A1. While the OPM successfully expelled A1, A2, thanks to the backdoor, preserved its presence on the OPM network and later moved through the OPM environment to the U.S. Department of Interior data center where OPM personnel records were stored. The data exfiltration had been continuing undiscovered until April 2015 when an OPM contractor working on IT security detected a suspicious activity on OPM network.
+
|It is not entirely clear how attackers gained access to OPM's networks. In the first phase, an attacker (A1) used a domain registered in the OPM server and exfiltrated IT system architecture and manuals. OPM found out about A1’s malicious activity and began to monitor it. Later, another separate attack was carried out by an attacker (A2) associated with A1 who posed as a background investigations contractor - KeyPoint - and, using an OPM credential, remotely accessed OPM’s network and installed PlugX malware to create a backdoor. On 27 May 2014 the OPM shut down its compromised systems in an effort to avoid more severe breaches by A1. While the OPM successfully expelled A1, A2, thanks to the backdoor, preserved its presence on the OPM network and later moved through the OPM environment to the U.S. Department of Interior data center where OPM personnel records were stored. The data exfiltration continued undiscovered until April 2015, when an OPM contractor working on IT security detected suspicious activity on the OPM network.
 
|-
 
|-
 
! scope="row"|Purpose
 
! scope="row"|Purpose
|Unclear. The attack was seen as an effort to gain valuable information about U.S. agencies and their employees as a part of an espionage campaign.<ref>Tom Risen, Staff Writer, [https://www.usnews.com/news/articles/2015/06/05/china-suspected-in-theft-of-federal-employee-records “China Suspected in Theft of Federal Employee Records”] (June 5, 2015), US News.</ref> Personal data of the U.S. employees could be also used for financial gain. Actually, some employees affected by the hack claimed that they have been subject to fraudulent credit charges, tax filings and other instances of identity theft that could credibly trace back to the OPM breaches.<ref>Eric Katz, [https://www.govexec.com/pay-benefits/2019/06/feds-suing-opm-score-early-win-lawsuit-over-data-hacks/157970/ “Federal Employees Suing OPM Score Win in Lawsuit Over Data Hacks”] (June 24, 2019), Government Executive.</ref>
+
|Unclear. The attack was seen as an effort to gain valuable information about U.S. agencies and their employees as a part of an espionage campaign.<ref>Tom Risen, Staff Writer, [https://www.usnews.com/news/articles/2015/06/05/china-suspected-in-theft-of-federal-employee-records “China Suspected in Theft of Federal Employee Records”] (June 5, 2015), US News.</ref> The personal data of the U.S. employees could be also used for financial gain. Actually, some employees affected by the hack have claimed that they have been subjected to fraudulent credit charges, tax filings and other instances of identity theft that could credibly trace back to the OPM breaches.<ref>Eric Katz, [https://www.govexec.com/pay-benefits/2019/06/feds-suing-opm-score-early-win-lawsuit-over-data-hacks/157970/ “Federal Employees Suing OPM Score Win in Lawsuit Over Data Hacks”] (June 24, 2019), Government Executive.</ref>
 
|-
 
|-
 
! scope="row"|Result
 
! scope="row"|Result
|Sensitive information of 21.5 million individuals - applicants for security clearances and their relatives - was stolen from the background investigation databases including approximately 5.6 million fingerprints. Moreover, OPM discovered that the personnel data such as name, birth date, home address and Social Security Numbers of 4.2 million current and former Federal government employees had been stolen.<ref>[https://www.opm.gov/cybersecurity/cybersecurity-incidents/ “CYBERSECURITY INCIDENTS“], Office of Personnel Management. </ref>
+
|Sensitive information of 21.5 million individuals - applicants for security clearances and their relatives - was stolen from the background investigation databases, including approximately 5.6 million fingerprints. Moreover, OPM discovered that personnel data such as the name, birth date, home address and Social Security Numbers of 4.2 million current and former Federal government employees had been stolen.<ref>[https://www.opm.gov/cybersecurity/cybersecurity-incidents/ “CYBERSECURITY INCIDENTS“], Office of Personnel Management. </ref>
 
|-
 
|-
 
! scope="row"|Aftermath
 
! scope="row"|Aftermath
|OPM Director Katherine Archuleta as well as OPM chief information officer Donna Seymour resigned.<ref>[https://archive.org/stream/ReportFromTheCommitteeOnOversightAndGovernmentReformOnTheOPMBreach/Report%20from%20the%20Committee%20on%20Oversight%20and%20Government%20Reform%20on%20the%20OPM%20Breach_djvu.txt “Report from the Committee on Oversight and Government Reform on the OPM Breach”] (September 7, 2016), Committee on Oversight and Government Reform, U.S. House of Representatives.</ref> Furthermore, two federal employee unions and several individuals sued OPM and KeyPoint for a violation of a constitutional right to informational privacy. The trial is still ongoing but so far the courts keep deciding that this constitutional right was not violated.<ref>Amelia Brust, David Thornton, [https://federalnewsnetwork.com/opm-cyber-breach/2019/06/appeals-court-rules-opm-data-breach-left-people-vulnerable-to-harm/ “Appeals court rules OPM data breach left people vulnerable to harm”] (June 27, 2019), Federal News Network.</ref>
+
|OPM Director Katherine Archuleta as well as OPM chief information officer Donna Seymour resigned.<ref>[https://archive.org/stream/ReportFromTheCommitteeOnOversightAndGovernmentReformOnTheOPMBreach/Report%20from%20the%20Committee%20on%20Oversight%20and%20Government%20Reform%20on%20the%20OPM%20Breach_djvu.txt “Report from the Committee on Oversight and Government Reform on the OPM Breach”] (September 7, 2016), Committee on Oversight and Government Reform, U.S. House of Representatives.</ref> Furthermore, two federal employee unions and several individuals sued OPM and KeyPoint for a violation of a constitutional right to informational privacy. The trial is still ongoing but so far the courts have found that this constitutional right had not been violated.<ref>Amelia Brust, David Thornton, [https://federalnewsnetwork.com/opm-cyber-breach/2019/06/appeals-court-rules-opm-data-breach-left-people-vulnerable-to-harm/ “Appeals court rules OPM data breach left people vulnerable to harm”] (June 27, 2019), Federal News Network.</ref>
Even though the Obama administration decided not to blame China for the massive breach in 2015,<ref>Ellen Nakashima, [https://www.washingtonpost.com/world/national-security/us-avoids-blaming-china-in-data-theft-seen-as-fair-game-in-espionage/2015/07/21/03779096-2eee-11e5-8353-1215475949f4_story.html “U.S. decides against publicly blaming China for data hack”] (July 21, 2015), The Washington Post. </ref> there was a strong belief that China was responsible for the attack. Chinese officials denied all the accusations calling them irresponsible and unscientific.<ref>Dominic Rushe, [https://www.theguardian.com/technology/2015/jun/04/us-government-massive-data-breach-employee-records-security-clearances “OPM hack: China blamed for massive breach of US government data”] (June 5, 2015), The Guardian.</ref> Later in 2017, President-elect Donald Trump said China was behind the massive breach.<ref>Michael D. Shear, David E. Sanger, [https://www.nytimes.com/2017/01/06/us/politics/donald-trump-wall-hack-russia.html?_r=0 “Putin Led a Complex Cyberattack Scheme to Aid Trump, Report Finds”] (January 6, 2017), The New York Times</ref> The same statement came also from John Bolton, White House National Security Adviser.<ref>Ian Smith, [https://www.fedsmith.com/2018/09/21/bolton-confirms-china-behind-opm-data-breaches/ “Bolton Confirms China was Behind OPM Data Breaches”] (September 21, 2018), FedSmith.com. </ref> Finally, it is worth noting that a Chinese national was arrested by FBI after being accused of conspiring with others to use Sakuta, a malware deployed in the OPM breach. <ref>Joseph Menn, [https://www.reuters.com/article/us-usa-cyber-opm/chinese-national-arrested-in-los-angeles-on-u-s-hacking-charge-idUSKCN1B42RM “Chinese national arrested in Los Angeles on U.S. hacking charge”] (August 25, 2017), Reuters.</ref>
+
Even though the Obama administration decided not to blame China for the massive breach in 2015,<ref>Ellen Nakashima, [https://www.washingtonpost.com/world/national-security/us-avoids-blaming-china-in-data-theft-seen-as-fair-game-in-espionage/2015/07/21/03779096-2eee-11e5-8353-1215475949f4_story.html “U.S. decides against publicly blaming China for data hack”] (July 21, 2015), The Washington Post. </ref> there was a strong belief that China was responsible for the attack. Chinese officials denied all the accusations, calling them irresponsible and unscientific.<ref>Dominic Rushe, [https://www.theguardian.com/technology/2015/jun/04/us-government-massive-data-breach-employee-records-security-clearances “OPM hack: China blamed for massive breach of US government data”] (June 5, 2015), The Guardian.</ref> Later in 2017, President-elect Donald Trump said China was behind the massive breach.<ref>Michael D. Shear, David E. Sanger, [https://www.nytimes.com/2017/01/06/us/politics/donald-trump-wall-hack-russia.html?_r=0 “Putin Led a Complex Cyberattack Scheme to Aid Trump, Report Finds”] (January 6, 2017), The New York Times</ref> The same statement came also from John Bolton, White House National Security Adviser.<ref>Ian Smith, [https://www.fedsmith.com/2018/09/21/bolton-confirms-china-behind-opm-data-breaches/ “Bolton Confirms China was Behind OPM Data Breaches”] (September 21, 2018), FedSmith.com. </ref> Finally, it is worth noting that a Chinese national was arrested by FBI after being accused of conspiring with others to use Sakuta, a malware deployed in the OPM breach. <ref>Joseph Menn, [https://www.reuters.com/article/us-usa-cyber-opm/chinese-national-arrested-in-los-angeles-on-u-s-hacking-charge-idUSKCN1B42RM “Chinese national arrested in Los Angeles on U.S. hacking charge”] (August 25, 2017), Reuters.</ref>
 
|-
 
|-
 
! scope="row"|Analysed in
 
! scope="row"|Analysed in

Latest revision as of 07:21, 4 June 2021

Date The exact date of the breach into Office of Personnel Management servers is unknown. Nevertheless, malware had been residing in the servers since at least 2012 and the earliest known malicious activity so far disclosed dates back to November 2013. The gravest part of the attack – an exfiltration of background investigation and personal data – was carried out between June 2014 and March 2015. The attack was not completely blocked until 30 June 2015.[1]
Suspected actor Unknown state-sponsored group working for the Chinese government.[2][3]
Target United States Office of Personnel Management
Target systems n/a
Method It is not entirely clear how attackers gained access to OPM's networks. In the first phase, an attacker (A1) used a domain registered in the OPM server and exfiltrated IT system architecture and manuals. OPM found out about A1’s malicious activity and began to monitor it. Later, another separate attack was carried out by an attacker (A2) associated with A1 who posed as a background investigations contractor - KeyPoint - and, using an OPM credential, remotely accessed OPM’s network and installed PlugX malware to create a backdoor. On 27 May 2014 the OPM shut down its compromised systems in an effort to avoid more severe breaches by A1. While the OPM successfully expelled A1, A2, thanks to the backdoor, preserved its presence on the OPM network and later moved through the OPM environment to the U.S. Department of Interior data center where OPM personnel records were stored. The data exfiltration continued undiscovered until April 2015, when an OPM contractor working on IT security detected suspicious activity on the OPM network.
Purpose Unclear. The attack was seen as an effort to gain valuable information about U.S. agencies and their employees as a part of an espionage campaign.[4] The personal data of the U.S. employees could be also used for financial gain. Actually, some employees affected by the hack have claimed that they have been subjected to fraudulent credit charges, tax filings and other instances of identity theft that could credibly trace back to the OPM breaches.[5]
Result Sensitive information of 21.5 million individuals - applicants for security clearances and their relatives - was stolen from the background investigation databases, including approximately 5.6 million fingerprints. Moreover, OPM discovered that personnel data such as the name, birth date, home address and Social Security Numbers of 4.2 million current and former Federal government employees had been stolen.[6]
Aftermath OPM Director Katherine Archuleta as well as OPM chief information officer Donna Seymour resigned.[7] Furthermore, two federal employee unions and several individuals sued OPM and KeyPoint for a violation of a constitutional right to informational privacy. The trial is still ongoing but so far the courts have found that this constitutional right had not been violated.[8]

Even though the Obama administration decided not to blame China for the massive breach in 2015,[9] there was a strong belief that China was responsible for the attack. Chinese officials denied all the accusations, calling them irresponsible and unscientific.[10] Later in 2017, President-elect Donald Trump said China was behind the massive breach.[11] The same statement came also from John Bolton, White House National Security Adviser.[12] Finally, it is worth noting that a Chinese national was arrested by FBI after being accused of conspiring with others to use Sakuta, a malware deployed in the OPM breach. [13]

Analysed in Scenario 02: Cyber espionage against government departments

Collected by: Adam Botek

  1. “Report from the Committee on Oversight and Government Reform on the OPM Breach” (September 7, 2016), Committee on Oversight and Government Reform, U.S. House of Representatives.
  2. Josh Fruhlinger, “The OPM hack explained: Bad security practices meet China's Captain America” (November 6, 2018), CSO.
  3. Ian Smith, “Bolton Confirms China was Behind OPM Data Breaches” (September 21, 2018), FedSmith.com.
  4. Tom Risen, Staff Writer, “China Suspected in Theft of Federal Employee Records” (June 5, 2015), US News.
  5. Eric Katz, “Federal Employees Suing OPM Score Win in Lawsuit Over Data Hacks” (June 24, 2019), Government Executive.
  6. “CYBERSECURITY INCIDENTS“, Office of Personnel Management.
  7. “Report from the Committee on Oversight and Government Reform on the OPM Breach” (September 7, 2016), Committee on Oversight and Government Reform, U.S. House of Representatives.
  8. Amelia Brust, David Thornton, “Appeals court rules OPM data breach left people vulnerable to harm” (June 27, 2019), Federal News Network.
  9. Ellen Nakashima, “U.S. decides against publicly blaming China for data hack” (July 21, 2015), The Washington Post.
  10. Dominic Rushe, “OPM hack: China blamed for massive breach of US government data” (June 5, 2015), The Guardian.
  11. Michael D. Shear, David E. Sanger, “Putin Led a Complex Cyberattack Scheme to Aid Trump, Report Finds” (January 6, 2017), The New York Times
  12. Ian Smith, “Bolton Confirms China was Behind OPM Data Breaches” (September 21, 2018), FedSmith.com.
  13. Joseph Menn, “Chinese national arrested in Los Angeles on U.S. hacking charge” (August 25, 2017), Reuters.