Heading into the weekend, we learned the Chinese hackers who hit the Office of Personnel Management had a whole year to root around in the security clearance database. Now we find out they were “root” while they were doing it.
The New York Times delivers news that will chill the bones of anyone who knows anything about system administration:
Undetected for nearly a year, the Chinese intruders executed a sophisticated attack that gave them “administrator privileges” into the computer networks at the Office of Personnel Management, mimicking the credentials of people who run the agency’s systems, two senior administration officials said. The hackers began siphoning out a rush of data after constructing what amounted to an electronic pipeline that led back to China, investigators told Congress last week in classified briefings.
Much of the personnel data had been stored in the lightly protected systems of theDepartment of the Interior, because it had cheap, available space for digital data storage. The hackers’ ultimate target: the one million or so federal employees and contractors who have filled out a form known as SF-86, which is stored in a different computer bank and details personal, financial and medical histories for anyone seeking a security clearance.
“This was classic espionage, just on a scale we’ve never seen before from a traditional adversary,” one senior administration official said. “And it’s not a satisfactory answer to say, ‘We found it and stopped it,’ when we should have seen it coming years ago.”
This is catastrophic news, because it means the hackers had access to pretty much everything at the incompetently-managed OPM.
It’s amazing to watch agency officials sleepwalk through congressional hearings with a hey, whaddaya gonna do? attitude, secure in the knowledge nobody ever faces consequences for failure in the Obama Administration, when the damage is this breathtaking. (The NYT article has a few lowlights from those hearings, including Democrats losing their cool with hapless OPM director Katherine Archuleta and describing her agency as seeming like “deer in the headlights.”)
Not only has the American human intelligence system been disastrously compromised around the world, but back here at home, the intel community is going to be playing defense for years to come, worried sick about how many government employees with security clearances might have been approached for recruitment or blackmail by China and its allies.
Administrator privileges for the hackers as they wander through the outrageously insecure OPM data wonderland also means the risk of secondary penetration is higher – the hackers might have begun tunneling into every system OPM touched, which means just about every system.
The Administration is scrambling to figure out which of its other organs might have been targeted by the intruders. It’s a long list, as the Times notes that an audit last year “harshly criticized lax security at the Internal Revenue Service, the Nuclear Regulatory Commission, the Energy Department, the Securities and Exchange Commission — and the Department of Homeland Security, which has responsibility for securing the nation’s critical networks.”
The NYT recalls Nuclear Regulatory Commission employees getting in trouble for leaving vital information lying around on unsecured network drives and laptop computers they actually managed to lose track of, while IRS employees have been known to use passwords such as “password,” the SEC had some completely unprotected components in its system, and auditors managed to penetrate what passes for security at the Department of Education (chock full of personal information from millions of student loan applicants!) without breaking a sweat.
The New York Times confirms something I’ve been saying since Day One of this crisis: the incredibly valuable trove of data stolen by these hackers has never been posted for sale on the black market, meaning the thieves are leaving tens or hundreds of millions of dollars on the table. That strongly suggests this was a state-sponsored intelligence operation, conducted with an eye toward fueling both human-intelligence efforts and further hacking attacks.
The tactics used by the hacking crew could prove effective at any of the vulnerable agencies mentioned by the New York Times. We’ve learned previously that they had some valid user names and passwords for the OPM system, which could have been gleaned through some combination of human intelligence (i.e. a Chinese agent getting valid user credentials from sources in the U.S. government, or possibly even Chinese agents working for the OPM as contractors) and “phishing,” the practice of using malware spread by email and phony websites to harvest passwords from unsuspecting targets.
On Sunday, Reuters published a look at the enigmatic crew believed to be behind the OPM hack, and attacks using similar methods on targets such as the Anthem health insurance company. Known by a variety of designations to cyber-security experts – PinkPanther, KungFu Kittens, Group 72, Deep Panda, Shell Crew – they’re more subtle than the regular Chinese People’s Liberation Army hacking crew, which has been robbing U.S. industry blind of intellectual property for years.
The Shell Crew has a fondness for using compromised email accounts to blast out emails laced with malware, including a rare virus strain known as “Sakula,” designed to harvest a rapidly snowballing pile of data from a string of users. They’ve been known to employ brute-force hacking methods to gain initial access to a system, but once they’re inside, they love nothing better than to bombard the employees and associates of a penetrated operation with emails, purportedly from trusted sources, that trick them into clicking links to virus-delivery websites. For example, if they got into Hillary Clinton’s illegal, insecure email server, the people on Clinton’s email list would begin receiving correspondence that looked like it came from the former Secretary of State, but was actually bait to lure the users into the Shell Crew’s clutches.
They’ve also set up some “watering hole” attacks, in which a phony website that looks very much like a legit site, with an address very similar to what a legit site would use, is packed full of malware and set like a mousetrap for unsuspecting users.
The Reuters article notes that Shell Crew operations usually take place in two stages: an exploratory or reconnaissance stage, in which the hackers check out the penetrated system, get a feel for what kind of data it contains, and put a high priority on avoiding detection, followed by a more active raiding stage where they begin stealing large amounts of data, seemingly after they’ve consulted with some other authority and been given a shopping list of what to take.
They don’t usually get to take such a huge amount of information, because as soon as the targets suspect they have been compromised, they roll through standard security precautions such as resetting firewalls and requiring all users to change their passwords. Phishing attacks are normally conducted on a tight timetable… but not at the OPM, where the staggering incompetence of this Administration gave the hackers all the time in the world to take whatever they wanted, and set up any additional operations they pleased. Is it possible to believe additional operations using the pilfered OPM data, especially that juicy security clearance info, aren’t already in progress… or possibly even completed?