Antiquated environment and bad security practices aided OPM hackers

By now, you’ve all heard about the massive breach at the US Office of Personnel Management’s (OPM), and that the attackers have accessed (and likely made off with) personal information of approximately 4 million US federal workers, 2.1 million of which are apparently current employees.

“OPM services the Federal workforce so the affected population includes Executive Branch agencies and employees,” the OPM explained in the FAQ section that followed the breach announcement.

Employees in the legislative or judicial branch have not been impacted by this intrusion, and military records have not been affected. “No contractors were affected unless they previously held Federal civilian positions. The incident affected current and former Federal civilian personnel, including Department of Defense civilian employees.”

According to Reuters sources, the stolen data included security clearance information and background checks dating back to 1985. An internal memo they managed to peruse says that no State Department employees were affected, as their data is not stored on the hacked OPM systems.

The intrusion occurred in December 2014, but was first spotted in April 2015, when the OPM was in the process of “aggressively” updating its cybersecurity posture and adding tools and capabilities to its networks.

This effort aimed at securing OPM’s systems and networks came too late. It’s unknown when they started it, but it’s likely a direct consequence of a report that the OPM’s inspector general issued in November 2014.

The report details the many security weaknesses of the OPM’s IT security program, including the facts that eleven major OPM information systems are operating without a valid authorization; the Office does not maintain a comprehensive inventory of servers, databases, and network devices; it does not routinely scan systems for vulnerabilities; does not adequately monitor all systems; and so on.

The audit was conducted from April to September 2014. In July 2014, it was discovered that OPM’s networks have been penetrated by attackers earlier that year, in March, and that they had access to some of OPM’s databases containing security clearance records.

According to unnamed sources familiar with the investigation, that attack and the most recent one have been perpetrated by Chinese hackers. According to iSight Partners, the same attackers also carried out the attacks on Anthem and Premera health insurance providers discovered earlier this year.

Since none of this information has been leaked and used since, the theory is that the Chinese government has hired the attackers to collect all this personal and healthcare information so that it can be used to trick or blackmail US government employees and contractors into cooperating.

Even though the White House hasn’t officially pointed the finger towards China, Hong Lei, a spokesman for the Chinese Foreign Ministry, has said the allegations were untrue.

“Hacker attacks are conducted anonymously, across nations, and thus it is hard to track the source. It’s irresponsible and unscientific to make conjectural, trumped-up allegations without deep investigation,” he said.

What is definitely true is that US government networks are under constant attack, and that security measures the various departments and offices have been employing are not enough to keep persistent intruders out.