OPM Hackers Skirted Cutting-Edge Intrusion Detection System, Official Says

When attackers compromised a federal personnel system holding records on up to 4 million current and former employees, the files were in an Interior Department data center equipped with the most up-to-date version of a governmentwide intrusion detection tool, a government official with knowledge of the center at the time said Friday. 

But that tool, called EINSTEIN 3, would not have been able to catch a threat that has no known footprints, according to multiple industry experts.  

The malicious software used to compromise an Office of Personnel Management system in December reportedly had never been seen before and carried no indicators of compromise, or "signatures." 

OPM detected an intrusion in April, the agency disclosed Thursday. The incident marks the fourth publicly known network penetration of an organization maintaining files on federal employees with access to classified secrets, in the past year.

It is unclear who discovered the distinctive characteristics of the malware and other tactics used. What's known is that, according to the Department of Homeland Security, once those signatures were captured, they were fed into DHS' EINSTEIN 3, the governmentwide tool that over the past year gained the capability to block attacks, too.

Ultimately, in May, DHS determined the intrusion successfully breached sensitive job-related data on millions of military, civilian and retired federal personnel, according to Homeland Security. An FBI investigation is ongoing.

The mammoth hack, surprisingly, demonstrates that swapping tips about threats can prevent inevitable attacks -- like this one by a suspected well-funded group -- from accelerating. Some observers say EINSTEIN and complementary OPM-managed continuous monitoring tools that noticed a network penetration eventually detected activity that otherwise could have gone on for years.

The timing of the infiltration coincides with a tense congressional debate over information-sharing legislation that would exchange signatures of malicious campaigns among industry and government. Critics say the measures could expose personal information caught up in network traffic and let companies off the hook for being hacked. 

EINSTEIN is No Cure-All, Experts Say

EINSTEIN 3 was deployed on all Internet connections at the Interior "shared services" data center, which facilitates payroll, financial management and contracting for about 20 agencies, according to the government official. The person would only speak on the condition of anonymity because of the sensitivity of the investigation.

The OPM system was segregated, physically in its own enclave inside the Interior center, the official said.

Typically, each agency is responsible for adding more layers of protection to their individual systems, such as login verification, agency-specific network intrusion-detection systems, and testing for holes a hacker can enter through. 

Interior Department officials said in a statement they "continue to be vigilant to ensure that necessary security measures are in place to further strengthen and protect agency, customer and employee data." Interior has a "multipronged remediation strategy to prevent, detect and act against malicious activity on our network in order to respond and recover following an incident," officials added.

The estimated $3 billion EINSTEIN system is not a cure-all for well-funded campaigns insistent on breaching federal networks, according to security experts.

The tool only looks at the traffic coming into the network as it traverses the Internet service provider, said Ron Gula, chief executive officer of Tenable Network Security, a major contractor for agencies that perform continuous monitoring. DHS is offering all agencies sensors, consulting services and other network surveillance tools under a $6 billion contract.

"The fact that EINSTEIN saw the attack or observed the network traffic from a long time ago is different from the fact that it was recognized as an attack only recently," he said. Essentially, EINSTEIN cannot act as a real-time detection system unless it knows the specific malware exists in the world. 

"At the end of the day, I actually give the federal government high marks for detecting this and reporting it," Gula said. "It was caught relatively quickly. The reality is, you are not going to keep out all intruders. It's not a reasonable expectation in today's day and age." 

At Least They Didn’t Reach NASA, Like Last Time

And the situation might have been even more detrimental had it happened a decade ago, when Interior first began handling payrolls for other agencies

"I remember us being able to go into NASA's data on astronauts through Interior's payroll center and it was rather bizarre," said a former Interior Inspector General Office employee, who was testing for network holes at the time. "Back then, it was like a knife going through butter to get into the center.”

The retired official spoke on the condition of anonymity because of the national security ramifications of the situation. 

"We had no problems getting into the Interior payroll system, and then once we were in the Interior payroll system, we were in to all the shared services systems," the former official said. "That's the danger of any department that does shared service work."

In another instance, the worker played the part of a black hat hacker to convince the department security was lacking.

“I knew that the CIO would deny that we were able to get in the payroll system because that was his baby, and so what I did was we got into the payroll system and I moved the secretary's check," the official said. "We, of course, gave her the paycheck back.”

The former IG employee then recommended continuous monitoring. Today, the retiree says, "I'm really confident that they've got a better-than-average-system, but obviously, it cannot sustain a country-sponsored attack.”

(Image via Andrea Danti/ Shutterstock.com)