In March of 2014 the Office of Personnel Management (OPM) experienced a cybersecurity breach by what would later be identified as threat actors associated with the People’s Republic of China (PRC). 17 months later after a series of inadequate security procedures a report was released indicating that nearly 24 million current and former government employees were exposed in a massive data breach. The breach involved the theft of sensitive records relating to the background investigations for employees and contractors of the federal government who held security clearances. The data stolen included social security numbers, contact details, family information, work history, medical history and other sensitive content.
This report highlights the events leading up to the 2015 report and the failures of the Office of Personnel Management (OPM) during that time period. Other supporting details of the incident are also included to add context and a better understanding of the timeline. Following this section is an analysis of the investigative procedures of the incident. In this section guidance is added as to how the OPM and other investigative authorities could have responded to the attack. If the proposed measures were taken it is likely that the severity of the attack would have at least been mitigated if not avoided altogether.
Office of Personnel Management
The Office of Personnel Management (OPM) is an element of the U.S. federal government that is responsible for various human resource functions. One of these functions is involves the acquisition and storage of personally identifiable information (PII) on members of the federal government who hold security clearances (Office of Personnel Management, n.d.). There are three primary security clearances distributed within the federal government which are confidential, secret and top secret. Members of the government who hold these clearances are exposed to the most sensitive information relative to national security. This includes special access programs and various classified projects that involve matters such as advanced technology with military applications, intelligence sources & methods and current operations all around the world (U.S. Department of State, n.d.).
During the investigative process for receiving a government security clearance a subject is required to provide a multitude of details about their personal life. In order to properly assess the suitability of an individual for security clearance work investigators must learn every aspect of an individuals life. This includes work history, medical history, personal contacts & associations, any history of criminal activity or drug use, contact information, family details and foreign travel history which is all neatly packaged in a form known as an SF-86 (U.S. Department of State, n.d.).
From the standpoint of intelligence operations access to this type of information by an adversary would be a massive victory. This information could be used to develop targeting packages of individuals with access to classified projects for later espionage activities. All of their personal information to include any potential psychological vulnerabilities or opportunities for blackmail and manipulation would be clearly visible for the attackers.
Summary of OPM Data Breach
In March of 2014 the OPM received a series of cyber attacks later to be associated with the People’s Republic of China (PRC). For the reasons described above it is reasonable to assess that the OPM would be a high value target for espionage activity by a foreign intelligence service. The PRC has notoriously directed cyber attacks and other forms of intelligence collection activities toward U.S. government agencies and federal contractors. In this instance the attackers may have conducted one of the most damaging data breaches in U.S. history.
After several internal and external investigations the OPM released a report in July of 2015 stating that almost 24 million people affiliated with the OPM for background investigations and their families had been exposed in the data breach.
The data stolen in this breach contains a multitude of sensitive information on government employees and contractors. This includes current, former and applicants associated with the federal government. In addition to the PII described above the data stolen also included social security numbers (SSN’s), fingerprints, usernames, passwords and more. Here’s a brief statement from the OPM highlighting the scope of the incident, “If you underwent a Federal background investigation in 2000 or afterwards (which occurs through the submission of forms SF-86, SF-85, or SF-85P for either a new investigation or a reinvestigation), it is highly likely that you were impacted by the incident involving background investigations.” (Office of Personnel Management, n.d.).
Analysis of OPM Response
Since the first sign of an intrusion in March of 2014 a cascade of investigations and official reports were made highlighting the general details of the incident. Initially the intrusion detection system (IDS) appear to have stopped the initial attack (The SANS Institute, 2016). Because of this there was no official statement about the cybersecurity incident by the OPM. This is the standard procedure since organizations like this receive dozens of unsuccessful cybersecurity attacks each year. Organizations are generally not required to make statements to the public and to stakeholders unless an actual data breach has occurred. Based on this information we can assess that the OPM did not conduct a thorough enough investigation from the very beginning (U.S. House of Representatives, 2015).
Over the next 17 months after the initial incident various agencies conducted their own investigations of the breach and slowly begin to release details about the compromise. At first the damage was assessed to be in the tens of thousands starting with the United States Investigation Services (USIS). The number of those negatively affected rises to around 400,000 by September of 2014. Various agencies to include the Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) launch their own investigations into the incident. As details about the incident are uncovered the true extent of the compromise comes into full picture and the severity of the breach was far greater than all of the previous estimates combined (Fruhlinger, 2020).
Later reporting on the incident discovered in the House Oversight & Government Reform Committee report found that the March 2014 attack did in fact involve a successful breach of the OPM network. This initial attack did not yield any considerable success to the attackers but they did gain access to the network. The hackers we allowed to remain in a quarantined section of the network for monitoring purposes. This type of activity can help authorities better understand their adversary’s tactics and to apply proper attribution for an attack.
It is clear that the security staff at the OPM conducted an inadequate audit of their systems after the initial breach in 2014. It appears that the breach was not quarantined and eradicated properly within the OPM servers. This may have indeed been for counterintelligence purposes however it was not conducted properly as the hackers were able to move laterally through the system, escalating their privileges & access and thus being able to retrieve the sensitive PII. The OPM should have immediately had interagency support working on the matter with the primary objective of safeguarding the highly sensitive data (David Thomas, 2019).
Immediately after the attack an extensive investigation should have been conducted to determine how the attack was carried out, what the severity of the attack was and if possible who conducted the attack. After eradicating the threat from the compromised information systems investigators should have began with a failure mode and effects analysis (FMEA) or fault tree analysis. This would help investigators determine the point(s) of failure in the system that lead to the breach. Work such as this would help the security staff to implement updates and additional security controls to prevent a breach in the future (Creasly, 2013).
Additionally, a forensic audit should have immediately been conducted on various aspects of OPM infrastructure that were compromised. This would include a complete forensics acquisition of compromised information systems, log analysis of the IDS/IPS systems in use, deep packet analysis for network forensics and cloud forensics for OPM partners such as the United States Investigation Services (USIS). Both USIS and KeyPoint Government Solutions conducted background investigation duties for the government. Each of these organizations and others used resources on the OPM servers. These organizations had their own data breaches associated with the OPM breach and all of the were likely related to the same threat actor. Investigative authorities would be able to gain additional insights from investigating the local and cloud based resources associated with these partnerships (Creasly, 2013).
Additionally, reporting appears to be another aspect of this investigation that was delayed. When an organization such as the OPM, a government agency responsible with safeguarding such sensitive information is successfully breached there are reporting procedures that must be implemented. The specifics of this reporting will vary depending on the organization and it is the responsibility of the security officer that oversees that facility. FBI and DHS began their own investigation of the matter but it appears that it was of their own accord. The 2014 breach should have immediately been reported through the proper channels. If this were done quickly the proper Computer Emergency Response Team (CERT) and law enforcement agencies would have been able to respond to the threat much faster. It is possible that this could have mitigated the damage caused by the breach (Creasly, 2013).
The data breach of the Office of Personnel Management is an unfortunate case study that highlights the absolute worst case scenario for a cybersecurity incident. In this instance the hackers not only compromised the systems but were able to steal an unprecedented amount of sensitive data. The damage caused by this attack will likely persist for years to come as there is no way to verify how this data will be weaponized.