Did Chinese hackers use an OPM audit to steal 4 million US federal employee records?

The US government has accused Chinese hackers of stealing four million federal employee records from the Office of Personnel Management (OPM) - yet it could have provided the attackers with the perfect handbook for carrying out the breach.

The US government has accused China of being behind one of, if not the, largest cybersecurity breaches in the country's history - but how did hackers gain access to such sensitive information?

The OPM may not be the best known US government agency, but it is one of the most important as it handles the security clearances and employee records for every federal agency including the Department of Homeland Security (DHS), National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). It probably has Barack Obama's social security number on file.

The US government has blamed Chinese hackers for the breach; the FBI is investigating the matter; the DHS "is continuing to monitor federal networks for any suspicious activity"; and the OPM says that all 4 million people affected by the breach will get 18 months of credit monitoring from CSID.

Essentially, everyone is scrambling to cover themselves after one of the most high profile and embarrassing security breaches in US history.

While we won't deal with the attribution question in detail here, well-known security expert Nicholas Weaver put it best when he said:

China, for its part, has given an official response which falls just short of outright denial of the accusations, saying that "jumping to conclusions and making hypothetical accusation is not responsible and counterproductive".

How did the hackers break-in?

Whoever was behind the attack, the question remains: how could the US government have allowed such a huge amount of sensitive data be stolen?

Ironically, the answer could come from the US government itself, who carried out an audit of the OPM's information security management which was published last November and revealed an alarming list of issues and shortcomings in the agency's systems.

The report, which could act like a playbook for any hackers looking to breach the security of the OPM, lists 11 major issues with the way the agency deals with cybersecurity.

This includes "11 major OPM information systems operating without a valid authorisation" which "represents a material weakness in the internal control structure of OPM's IT security program".

The report goes on to say: "The drastic increase in the number of systems operating without a valid authorisation is alarming."

The auditors were unable to obtain "tangible evidence that vulnerability scans have been routinely conducted for all OPM servers" - the servers on which the four million stolen records were stored.

One of the most worrying conclusions of the report was that OPM does not maintain "a comprehensive inventory of servers, databases, and network devices" and those conducting the research were "unable to independently attest that OPM has a mature vulnerability scanning program".

Red flag

In and of itself the report would not have given hackers a way in to the OPM system, but the alarming problems reported would have made the agency an appealing target for any group looking to breach the US government.

Add to this the fact that compared to other US industries, the US government servers are widely known to have the "highest prevalence of easily-exploitable vulnerabilities such as SQL injection and cross-site scripting" - according to security company Veracode - and the problems faced by those looking to protect the country's most sensitive information are clear.

Veracode's Chris Wysopal added that the US government's servers use the outdated Cold Fusion programming language - which is known to produce more vulnerabilities - than any other industry.

"In the context of the US government's current focus on cybersecurity, this attack on the Office of Personnel Management is clearly damaging to public confidence in the safe-keeping of their most sensitive personal data, and opens the way for more fraud. Yet again, the scale of the data breach is shocking," Dave Palmer from security company Darktrace said.

Detection

While there is a breach detection system in place - called Einstein - and it did flag up the problem, considering that four million records were stolen, either no one noticed the alarm or the breach was detected far too late.

While it is pure speculation at this point, the most likely point of entry was through social engineering, with the hackers likely using personal details stolen in previous attacks, such as the Target breach in 2014.

Having gained access to the network, the 2014 audit has shown us that the security measures in place were far from ideal and it is therefore no surprise that such a huge amount of sensitive data could have been stolen.

As TK Keanini from Lancope points out, given the scale of this attack and previous ones, China may now have the upper hand:

"It does not take a security expert to see a pattern taking place here. Most of the attacks allegedly from China have all gone after the personal information of US citizens in the past few years and there is no sign that this trend will diminish. It is fair to assume at this point that they have more accurate information on US citizens than US has on its citizens."

And the problems are unlikely to end here for the US government. As Mark Bower from HP Security Voltage points out, the information stolen in this breach will simply be recycled to penetrate even deeper into the US government:

"Theft of personal and demographic data allows one of the most effective secondary attacks to be mounted: direct spear-phishing to yield access to deeper system access, via credentials or malware thus accessing more sensitive data repositories as a consequence."