China is fending off accusations it was behind the theft of personal dossiers on four million US government workers – some of whom had applied for or were granted security clearances.
China's foreign ministry spokesman Hong Lei told NBC News: "We hope the United States could discard this kind of suspicion and stop groundless accusations."
On Thursday, the US Office of Personnel Management (OPM) confirmed that hackers broke into its servers. A data center in Denver was compromised, we're told, which resulted in the loss of personal information on four million current and former employees; the records could date back as far as 1985.
Anonymous US officials, talking to Bloomberg, believe that the attack came from within China, and was intended to gather sensitive information on well-placed staff for blackmail and bribery purposes. That intelligence could include interviews with the friends and families of government workers who had applied for security clearances, we're told.
And, of course, an audit of the office's network should have set off alarm bells
Perhaps Uncle Sam should get a grip on its network security before pointing the finger of blame at other countries: an audit [PDF] carried out in November last year noted that the "OPM does not maintain a comprehensive inventory of servers, databases, and network devices."
"You can't defend yourselves well if you don't know what systems you have and where your data is," Richard Bejtlich of infosec biz FireEye, bluntly told the Washington Post this afternoon.
The Office of Personnel Management was not running "mature vulnerability scanning" software, or at least none the auditors could find. However, even if it was, that may not have helped: according to the FBI, whoever infiltrated the OPM exploited a zero-day flaw to get into the network. That zero-day could have helped the hackers tiptoe around the US government's intrusion-detection system dubbed EINSTEIN 3 [PDF].
The OPM canceled an IT "modernization [plan] plagued by management weaknesses" in 2013. The office was found by auditors to be hooked up to the systems of 400 federal agencies, and relied on old COBOL code in places – a complete mess, in other words.
The OPM said it would be notifying those whose data was accessed, via e-mail or postal mail next week. The agency is offering 18 months of identity-theft protection and credit monitoring services for those who have had their personal details lifted.
The cyber-break-in was first noticed when the agency was in the middle of updating its IT security systems. The agency did not say when the attack is believed to have occurred.
The FBI is investigating the intrusion, though even if the attacks can be traced back to China, officials may not be able to prove the attacker was physically located in China (rather than running traffic through a proxy) and was working with the backing of the Chinese government. ®