U.S. Government Suffers Massive Cyberattack

The U.S. Office of Personnel Management (OPM) is reporting a cybersecurity incident that affects its systems and data. The breach may have compromised the personal information of 4 million current and former federal workers.

“Within the last year, OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks,” according to a statement on the government site. “As a result, in April 2015, OPM became aware of the incident affecting its information technology systems and data that predated the adoption of these security controls.”

OPM is working with the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT), and the Federal Bureau of Investigation to determine the impact. OPM is offering affected individuals 18 months of credit monitoring services and identity theft insurance at no cost.

Although it’s unclear where the hack originated, Republican Senator Susan Collins, a member of the Senate Intelligence Committee, said, “While we still do not know for certain who is behind this attack, it has the hallmarks of a sophisticated attack, and we know there are countries who currently possess the capabilities to conduct such an attack, including Russia, China, and Iran.”

Direct Spear Phishing

We turned to Mark Bower, Global Director of Product Management at HP Security Voltage, to get his thoughts on the breach. He told us the theft of personal and demographic data allows one of the most effective secondary attacks to be mounted: direct spear phishing to yield access to deeper system access via credentials or malware, thus accessing more sensitive data repositories as a consequence.

“These attacks, now common, bypass classic perimeter defenses and data-at-rest security and can only realistically be neutralized with more contemporary data-centric security technologies adopted already by the leaders on the private sector,” Bower said. “Detection is too late. Prevention is possible today through data de-identification technology.”

But why is this attack especially significant? Beyond spear phishing, knowing detailed personal information past and present creates possible cross-agency attacks given the job history data that appears to be in the mix, Bower said.

“It’s likely this attack is less about money, but more about gaining deeper access to other systems and agencies which might even be defense or military data, future economic strategy data, foreign political strategy, and sensitive assets of interest at a nation-state level for insight, influence and intellectual property theft,” he said.

A Blasé Response?

Richard Blech, CEO of digital security solutions firm Secure Channels, told us this breach should give all citizens massive concern despite the fact that the OPM seems a “tad blasé” about how it used new tools to discovere the hack.

“The new tools cannot be very good if it takes four months to find out you have been breached,” Blech said. “The speed and velocity that stolen data proliferates through the hacker black market means that said data has already been exploited.

Blech said that the high value data OPM holds should have all been deeply encrypted. OPM’s new tools that are detecting and alerting mean nothing if the data is still stolen. The goal is to leave data useless to the hacker when it’s stolen.

A Repeat Performance?

Igor Baikalov, chief scientist at security analytics firm Securonix, told us the annual OPM hackathon is on. For the second year in a row, Chinese hackers seem to be in the lead. Just like a year ago, the breach at OPM was discovered in the spring, announced in the summer, but apparently had been going on since the previous winter, he said.

And just like a year ago, DHS Einstein identified the hack, although this time it took over 4 million records to get noticed — apparently, even automated intrusion detection system suffers from breach fatigue, he said. Also Just like a year ago, the agency said it is working aggressively to assess the impact, to notify and offer credit monitoring to millions of victims, and to continue protecting its federal employee data from malicious cyberincidents, Baikalov said.

“The only difference from last year is that now the Pentagon has a new cyberstrategy that specifically calls out retaliation as a viable cyber option not only in response to an attack, but also as a principal factor of deterrence,” Baikalov said. “Are we ready to explore it?”