recommended reading

OPM Hackers Skirted Cutting-Edge Intrusion Detection System, Official Says

Andrea Danti/

When attackers compromised a federal personnel system holding records on up to 4 million current and former employees, the files were in an Interior Department data center equipped with the most up-to-date version of a governmentwide intrusion detection tool, a government official with knowledge of the center at the time said Friday. 

But that tool, called EINSTEIN 3, would not have been able to catch a threat that has no known footprints, according to multiple industry experts.  

The malicious software used to compromise an Office of Personnel Management system in December reportedly had never been seen before and carried no indicators of compromise, or "signatures." 

OPM detected an intrusion in April, the agency disclosed Thursday. The incident marks the fourth publicly known network penetration of an organization maintaining files on federal employees with access to classified secrets, in the past year.

It is unclear who discovered the distinctive characteristics of the malware and other tactics used. What's known is that, according to the Department of Homeland Security, once those signatures were captured, they were fed into DHS' EINSTEIN 3, the governmentwide tool that over the past year gained the capability to block attacks, too.

Ultimately, in May, DHS determined the intrusion successfully breached sensitive job-related data on millions of military, civilian and retired federal personnel, according to Homeland Security. An FBI investigation is ongoing.

The mammoth hack, surprisingly, demonstrates that swapping tips about threats can prevent inevitable attacks -- like this one by a suspected well-funded group -- from accelerating. Some observers say EINSTEIN and complementary OPM-managed continuous monitoring tools that noticed a network penetration eventually detected activity that otherwise could have gone on for years.

The timing of the infiltration coincides with a tense congressional debate over information-sharing legislation that would exchange signatures of malicious campaigns among industry and government. Critics say the measures could expose personal information caught up in network traffic and let companies off the hook for being hacked. 

EINSTEIN is No Cure-All, Experts Say

EINSTEIN 3 was deployed on all Internet connections at the Interior "shared services" data center, which facilitates payroll, financial management and contracting for about 20 agencies, according to the government official. The person would only speak on the condition of anonymity because of the sensitivity of the investigation.

The OPM system was segregated, physically in its own enclave inside the Interior center, the official said.

Typically, each agency is responsible for adding more layers of protection to their individual systems, such as login verification, agency-specific network intrusion-detection systems, and testing for holes a hacker can enter through. 

Interior Department officials said in a statement they "continue to be vigilant to ensure that necessary security measures are in place to further strengthen and protect agency, customer and employee data." Interior has a "multipronged remediation strategy to prevent, detect and act against malicious activity on our network in order to respond and recover following an incident," officials added.

The estimated $3 billion EINSTEIN system is not a cure-all for well-funded campaigns insistent on breaching federal networks, according to security experts.

The tool only looks at the traffic coming into the network as it traverses the Internet service provider, said Ron Gula, chief executive officer of Tenable Network Security, a major contractor for agencies that perform continuous monitoring. DHS is offering all agencies sensors, consulting services and other network surveillance tools under a $6 billion contract.

"The fact that EINSTEIN saw the attack or observed the network traffic from a long time ago is different from the fact that it was recognized as an attack only recently," he said. Essentially, EINSTEIN cannot act as a real-time detection system unless it knows the specific malware exists in the world. 

"At the end of the day, I actually give the federal government high marks for detecting this and reporting it," Gula said. "It was caught relatively quickly. The reality is, you are not going to keep out all intruders. It's not a reasonable expectation in today's day and age." 

At Least They Didn’t Reach NASA, Like Last Time

And the situation might have been even more detrimental had it happened a decade ago, when Interior first began handling payrolls for other agencies

"I remember us being able to go into NASA's data on astronauts through Interior's payroll center and it was rather bizarre," said a former Interior Inspector General Office employee, who was testing for network holes at the time. "Back then, it was like a knife going through butter to get into the center.”

The retired official spoke on the condition of anonymity because of the national security ramifications of the situation. 

"We had no problems getting into the Interior payroll system, and then once we were in the Interior payroll system, we were in to all the shared services systems," the former official said. "That's the danger of any department that does shared service work."

In another instance, the worker played the part of a black hat hacker to convince the department security was lacking.

“I knew that the CIO would deny that we were able to get in the payroll system because that was his baby, and so what I did was we got into the payroll system and I moved the secretary's check," the official said. "We, of course, gave her the paycheck back.”

The former IG employee then recommended continuous monitoring. Today, the retiree says, "I'm really confident that they've got a better-than-average-system, but obviously, it cannot sustain a country-sponsored attack.”

(Image via Andrea Danti/

Threatwatch Alert

Network intrusion

Florida’s Concealed Carry Permit Holders Names Exposed

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.