Blackmail Lists? Bribery? Why Background Check Files Keep Getting Hacked


There is a systemic effort underway by China and other adversaries to crib sensitive data on powerful people and covert operators in Washington, intelligence analysts say.

Newly revealed information about how hackers broke into a company conducting millions of background investigations on national security employees shows the lengths to which attackers are willing to go to steal U.S. secrets.

There is a systemic effort underway by China and other adversaries to crib sensitive data on powerful people and covert operators in Washington, intelligence analysts say. Hacks at employee vetters USIS, KeyPoint, and the Office of Personnel Management, as well as major federal health care provider Blue Cross Blue Shield, are cases in point.

At USIS, cyber snoops deployed spyware custom-designed to capture screenshots only when a background check window was open, according to Stroz Friedberg, a digital forensics firm started by former FBI agent Edward Stroz.

"The attacker installed screen-scrapping malware on systems and specifically configured that malware to grab screen shots only when background investigations-related applications were being displayed on the screen," Stroz Friedberg Managing Director Bret Padres said in a September 2014 letter to USIS' attorneys, which was obtained by Nextgov. USIS is fighting a $1 billion Justice Department lawsuit amid accusations the firm submitted incomplete background checks.

The use of malicious code that only executed under certain circumstances implies the hackers “didn't want to raise alarms," said Richard Barger, chief intelligence officer at ThreatConnect and a former Army intelligence analyst. "Many of those background check systems are very highly audited."

The perpetrators snuck in through a hole in the network of one of the company’s suppliers, according to Stroz’s letter. The compromised network, which stored enterprise resource planning software, was attached to USIS' network. The name of the vendor is not identified in the report.

"The attacker was able to navigate from the third-party-managed environment into the USIS network in late [redacted] by successfully brute-forcing a password on an application server," said Stroz's Padres, referring to a hacking technique that systematically checks all possible passwords. "Once the attacker was able to log in to that server, the attacker installed a malicious backdoor,” an entryway to come and go as often as the intruders pleased.  

Well over 27,000 personnel seeking security clearances likely were affected by the USIS incident, Rep. Elijah Cummings, D-Md., the top Democrat on the House Oversight and Government Reform Committee, said last week.

USIS officials declined to comment beyond what was written in the Stroz forensics analysis. Stroz deferred to USIS.

A Dossier on U.S. Movers and Shakers?

By linking information from government personnel databases and health care databases, interlopers can obtain a window into the family lives of federal employees who might be susceptible to bribery or blackmail, some national security experts say.

The breach of an Anthem health care database last fall affected federal employee subscribers as well as BCBS federal members who aren't covered by Anthem but received BCBS services in a state where Anthem operates.

Anthem says, at this point, there is no indication diagnosis or treatment information was compromised by the attackers.

But “if I know you have a clearance from the USIS breach and I know that maybe your husband or wife has cancer from the Anthem breach, maybe I can approach you and say: 'You work at Langley. You've got access to sensitive information. Maybe if I give you $50,000 a year just to tell me a little bit about what you do, maybe I can eventually convince you to betray your country,'" Barger said, as an example of how medical data could be used to recruit human assets.

Other intelligence specialists say the trespassers certainly had serious financial backing, but would not go so far as to say they were state sponsored.

“Somebody on the other side of this attack had to come into work every day and check on these systems -- and make a decision on when are we going to start being more proactive. That requires people. That requires planning. That requires resources,” said Ron Gula, chief executive officer of Tenable Network Security and a former National Security Agency researcher.

The scenario suggests nation-state involvement but perhaps other well-heeled, tech-savvy entities had reason to want the biographies of valuable U.S. personnel.

"Folks who do classified, cleared work, they are all hurting for people,” Gula said. “Every one of them is trying to get the next cleared cyber genius. They are all competing, and it is very cutthroat.”

(Image via SOMMAI/