The congressional investigation into the hacking of the US Office of Personnel Management has shown how a cascade of stupidity that allowed not one but two hackers access to critical government secrets.
The 227-page report [PDF] details how two hacking teams, both thought to be state-sponsored groups from China, managed to swipe paperwork for security background checks on 21.56 million individuals – including the fingerprint records for 5.6 million of them – and the personnel files of 4.2 million former and current US government employees.
Those stolen documents essentially contained chapter and verse on the lives of millions of Americans who have or had access to sensitive government materials – a goldmine for foreign hackers to target.
The infiltrations, carried out between 2012 and early 2015, were so severe and wide-ranging that they forced the resignation of the then-head of the OPM Katherine Archuleta and the creation of a new agency, the National Background Investigations Bureau (NBIB), to carry out sensitive background checks and to keep the information secure.
The OPM had been warned repeatedly by government inspectors since 2005 that its IT systems weren't secure. In 2012, US-CERT warned the department that the Hikit malware was operating on its servers. Late the following year, it also found evidence that one or more hackers were active on those servers.
CERT warned again in March of 2014 that a hacker had managed to get information out of the OPM servers – primarily computer network specifications and IT administrator files. This set off warning signals, since – as the head of the NSA's hacking squad contends – this is the first stage of any serious hacking attack.
The two organizations hatched a plan to get rid of the hackers in an operation called Big Bang. They kept a close eye on what the intruders were doing and – when the attackers loaded a keylogger onto several machines used by people with access to sensitive servers – moved in for the kill on May 27 by shutting down servers and scrubbing the infected machines.
Unfortunately, a second hacker was already loose on the system and hadn't been spotted. Later analysis showed the attacker got into the OPM's servers by stealing the credentials of one of its contractors. Because two-factor authentication wasn't required, this gave free access to the agency's servers and the hacker installed the PlugX malware.
In July, the OPM went public with the news that it had been attacked, but said that only computer manuals had been stolen and no personal information was missing. But in December, the second attacker managed to download 4.2 million personnel files from the OPM's servers and stashed them online.
Around March 26 the hackers came back, this time taking millions of fingerprint files and other data. In mid-April a contractor notified his bosses that there were unusual types of traffic on the network, and the agency hired security firm Cylance to have a look around. Cylance's scanning tool "lit up like a Christmas tree" when it found the servers laced with malware.
A week later, the OPM informed Congress that a major hack had taken place – which it is required to do by law – and quarantined its servers the day afterwards. It was only when a full forensic investigation was carried out that the true extent of the theft became apparent and the shit hit the fan.
The report said that the initial attack was executed by a group called Axiom Threat Actor Group (the only hacking group to use Hikit) and the second by a team called Deep Panda – who are thought to be linked to the Anthem data theft carried out the same year. Both have links with the Chinese government and it's possible they coordinated their attacks.
They were also comedians – two domains were set up to channel the attacks and these were registered to Tony Stark (Iron Man), Steve Rogers (Captain America), and Natasha Romanoff (Black Widow). The visual effects director of the movie Iron Man was also referenced.
The report recommends that the OPM and other government departments hire CIOs who know what they are doing, and tie them into multiyear contracts so they can get stuff done. They need to introduce a "zero trust" regime on OPM's servers – meaning those inside the firewall are treated with the same caution as those outside.
Other recommendations include better authentication controls (well, duh), investing in better security systems, and increasing the amount it pays security staff, so that it can get the best talent and improved training for staff. ®