Congressional Probe Says OPM Hackers Arrived in 2012 And We Will Never Know What They Took

A new congressional probe into a massive Office of Personnel Management hack reveals the first traces of adversary activity on OPM's network date back to 2012, too far back in time to know what else beyond 21.5 million background check records might have been compromised.

Today, Republicans on the House Oversight and Government Reform Committee released this discovery and other findings from a year-long investigation into the multiyear cyberspy campaign.

"Due to security gaps in OPM's network and a failure to adequately log network activity, the country will never know with complete certainty all of the documents that the attackers exfiltrated from OPM in connection with the breach," states a copy of the 241-page majority staff report Nextgov reviewed.  

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The congressional investigation links the breaches to the hacker groups Axiom and Deep Panda, whom security consultants like Novetta and CrowdStrike have tied to the Chinese. Speaking at the American Enterprise Institute this morning, committee chairman Jason Chaffetz didn’t connect the hackers to a specific nation but said the adversaries were outside of the U.S.

“The report doesn’t attribute or attempt to attribute exactly who these nefarious actors were; we do believe the hack came from overseas,” he said.

Only after learning that attackers grabbed security documents offering a road map to OPM's data systems did the agency, in March 2014, start logging traffic in and out of the Personnel Investigations Processing System, according to the report. That tool handles intimate secrets on national security personnel and close contacts filed by individuals who apply for clearances to access classified material.

Network logs are the equivalent of CCTV cameras, so without logs, there's no tape of what happened, explained a committee staffer who spoke on background to Nextgov.

Attackers gained access to OPM's network in July 2012, the report states. That means there is an interval of about 17 months during which the United States likely will never know what data the bad guys touched, the staffer said.

"This breach involved data that included manuals and IT system architecture information, but the full extent of exfiltrated data is unknown," staffers said in the report, also noting the names and last four digits of certain contractor Social Security numbers were stolen.

The report draws extensively on interviews with personnel from multiple agencies and IT support contractors, Homeland Security Department incident response reports and internal government documents, some of which the committee subpoenaed.

The report also colors in the chronology of four separate heists believed to be part of the cyberspy operation: Following the hack of manuals and potentially other unknown data, attackers next copied the background check records in July and August of 2014.

Third, in December 2014, hackers scurried into a connected Interior Department data center holding OPM repositories and retrieved 4.2 million federal personnel records. Finally, less than a month before OPM caught on to the game plan, adversaries sucked out 5.6 million employee fingerprints on March 26, 2015.

"The intelligence and counterintelligence value of the stolen background investigation information for a foreign nation cannot be overstated, nor will it ever be fully known," the congressional investigators said.

Security Missed the Target

Subsequent to boosting network surveillance at OPM in March 2014, visibility increased but not enough to spot an attacker drop malware two months later, in May, that would ultimately help pocket the background check records, the staffer said.

According to the report, 99 percent of people only needed a password to access OPM networks at the time. The agency was not requiring computer users to enter a password and second ID format, like a personal identity verification card, for logging into networks.

"Had OPM leaders fully implemented the PIV card requirement—or two-factor authentication—security controls when they first learned hackers were targeting background investigation data, they could have significantly delayed or mitigated the data breach discovered in 2015," congressional investigators said.

At the top of the committee's 13 recommendations for avoiding another federal mega breach is advice that agencies ensure chief information officers are empowered, accountable and competent. At the AEI event, Chaffetz highlighted how a “zero trust” policy could also prevent future breaches from occurring.

“It doesn’t sound very nice but ‘zero trust’ is something I think the private sector figured out a long time ago, and the federal government is a decade or two behind," he said. "The federal government, at least in its federal information systems, often operates without these hall passes in its crudest form,” he added, referring to hall passes implemented in schools. “Once you get on the other side of the wall, they just believe you. ‘Oh yeah, everyone here is cool.’ That’s not the way it should work.”

In addition to dissecting what happened during the assault, the report describes a history of culture and management problems at OPM dating back to 2005 that influenced events, including a poor IT security record, weaknesses in the agency's ongoing IT modernization project, and clashes between former agency CIO Donna Seymour and the OPM inspector general. Seymour “consistently failed to work with the inspector general to better secure [OPM’s] systems and at times, even was misleading and thwarting the watchdog,” Chaffetz said.

The document also delves into controversies surrounding the roles of contractors CyTech Services and Cylance in aiding incident response.

On Wednesday, OPM officials said the GOP staff report does not fully reflect the progress the agency has made to date.

For example, now users need two forms of identification, not just a password, to log onto OPM systems. The requirement "provides a powerful barrier to our networks from individuals who should not have access," OPM Director Beth Cobert said in a blog post.

Along with technological enhancements, the agency has made management adjustments to tighten information security, she said. There is a new CIO, chief information security officer and senior cybersecurity adviser, among other recent OPM IT leadership hires. Cybersecurity resources are centralized under the CISO, whose sole responsibility is to take the steps necessary to control access to sensitive information, Cobert added.

"The cybersecurity incidents at OPM provided a catalyst for accelerated change within our organization," she said. "Throughout this agency, management has embraced cybersecurity as a top priority. I am proud of the way the team at OPM rose to the challenge and appreciate the collaborative spirit with which our partners across government worked—and continue to work—side by side with us each and every day."

The top Democrat on the committee, Rep. Elijah Cummings, D-Md., told fellow minority members he could not support the Republican analysis because it assigns blame improperly.

In particular, the report downplays evidence indicating private vendors, not just OPM employees, were players in the lead up to the breaches.

"The OPM breach was achieved using credentials taken from one of OPM's contractors to disguise its initial movements" into the agency's network, Cummings pointed out in a 21-page memo to committee Democrats on Tuesday.

The report unfairly criticizes Seymour, who Chaffetz had demanded resign even before the investigation started, he added. Seymour resigned in February, after Chaffetz had called for her ouster at least five times, Cummings said.

"The Republican staff report fails to adequately address federal contractors and their role in federal cybersecurity," Cummings said. "The most significant deficiency uncovered during the committee's investigation was the finding that federal cybersecurity is intertwined with government contractors, and that cyber requirements for government contractors are inadequate."

Camille Tuutti contributed reporting.