Congressional Probe Says OPM Hackers Arrived in 2012 And We Will Never Know What They Took

House Oversight and Government Reform Committee Chairman Rep. Jason Chaffetz, R-Utah

House Oversight and Government Reform Committee Chairman Rep. Jason Chaffetz, R-Utah Susan Walsh/AP

The breaches were avoidable, according to the report.

A new congressional probe into a massive Office of Personnel Management hack reveals the first traces of adversary activity on OPM's network date back to 2012, too far back in time to know what else beyond 21.5 million background check records might have been compromised.

Today, Republicans on the House Oversight and Government Reform Committee released this discovery and other findings from a year-long investigation into the multiyear cyberspy campaign.

"Due to security gaps in OPM's network and a failure to adequately log network activity, the country will never know with complete certainty all of the documents that the attackers exfiltrated from OPM in connection with the breach," states a copy of the 241-page majority staff report Nextgov reviewed.  

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The congressional investigation links the breaches to the hacker groups Axiom and Deep Panda, whom security consultants like Novetta and CrowdStrike have tied to the Chinese. Speaking at the American Enterprise Institute this morning, committee chairman Jason Chaffetz didn’t connect the hackers to a specific nation but said the adversaries were outside of the U.S.

“The report doesn’t attribute or attempt to attribute exactly who these nefarious actors were; we do believe the hack came from overseas,” he said.

Only after learning that attackers grabbed security documents offering a road map to OPM's data systems did the agency, in March 2014, start logging traffic in and out of the Personnel Investigations Processing System, according to the report. That tool handles intimate secrets on national security personnel and close contacts filed by individuals who apply for clearances to access classified material.

Network logs are the equivalent of CCTV cameras, so without logs, there's no tape of what happened, explained a committee staffer who spoke on background to Nextgov.

Attackers gained access to OPM's network in July 2012, the report states. That means there is an interval of about 17 months during which the United States likely will never know what data the bad guys touched, the staffer said.

"This breach involved data that included manuals and IT system architecture information, but the full extent of exfiltrated data is unknown," staffers said in the report, also noting the names and last four digits of certain contractor Social Security numbers were stolen.

The report draws extensively on interviews with personnel from multiple agencies and IT support contractors, Homeland Security Department incident response reports and internal government documents, some of which the committee subpoenaed.

The report also colors in the chronology of four separate heists believed to be part of the cyberspy operation: Following the hack of manuals and potentially other unknown data, attackers next copied the background check records in July and August of 2014.

Third, in December 2014, hackers scurried into a connected Interior Department data center holding OPM repositories and retrieved 4.2 million federal personnel records. Finally, less than a month before OPM caught on to the game plan, adversaries sucked out 5.6 million employee fingerprints on March 26, 2015.

"The intelligence and counterintelligence value of the stolen background investigation information for a foreign nation cannot be overstated, nor will it ever be fully known," the congressional investigators said.

Security Missed the Target

Subsequent to boosting network surveillance at OPM in March 2014, visibility increased but not enough to spot an attacker drop malware two months later, in May, that would ultimately help pocket the background check records, the staffer said.

According to the report, 99 percent of people only needed a password to access OPM networks at the time. The agency was not requiring computer users to enter a password and second ID format, like a personal identity verification card, for logging into networks.

"Had OPM leaders fully implemented the PIV card requirement—or two-factor authentication—security controls when they first learned hackers were targeting background investigation data, they could have significantly delayed or mitigated the data breach discovered in 2015," congressional investigators said.

At the top of the committee's 13 recommendations for avoiding another federal mega breach is advice that agencies ensure chief information officers are empowered, accountable and competent. At the AEI event, Chaffetz highlighted how a “zero trust” policy could also prevent future breaches from occurring.

“It doesn’t sound very nice but ‘zero trust’ is something I think the private sector figured out a long time ago, and the federal government is a decade or two behind," he said. "The federal government, at least in its federal information systems, often operates without these hall passes in its crudest form,” he added, referring to hall passes implemented in schools. “Once you get on the other side of the wall, they just believe you. ‘Oh yeah, everyone here is cool.’ That’s not the way it should work.”

In addition to dissecting what happened during the assault, the report describes a history of culture and management problems at OPM dating back to 2005 that influenced events, including a poor IT security record, weaknesses in the agency's ongoing IT modernization project, and clashes between former agency CIO Donna Seymour and the OPM inspector general. Seymour “consistently failed to work with the inspector general to better secure [OPM’s] systems and at times, even was misleading and thwarting the watchdog,” Chaffetz said.

The document also delves into controversies surrounding the roles of contractors CyTech Services and Cylance in aiding incident response.

On Wednesday, OPM officials said the GOP staff report does not fully reflect the progress the agency has made to date.

For example, now users need two forms of identification, not just a password, to log onto OPM systems. The requirement "provides a powerful barrier to our networks from individuals who should not have access," OPM Director Beth Cobert said in a blog post.

Along with technological enhancements, the agency has made management adjustments to tighten information security, she said. There is a new CIO, chief information security officer and senior cybersecurity adviser, among other recent OPM IT leadership hires. Cybersecurity resources are centralized under the CISO, whose sole responsibility is to take the steps necessary to control access to sensitive information, Cobert added.

"The cybersecurity incidents at OPM provided a catalyst for accelerated change within our organization," she said. "Throughout this agency, management has embraced cybersecurity as a top priority. I am proud of the way the team at OPM rose to the challenge and appreciate the collaborative spirit with which our partners across government worked—and continue to work—side by side with us each and every day."

The top Democrat on the committee, Rep. Elijah Cummings, D-Md., told fellow minority members he could not support the Republican analysis because it assigns blame improperly.

In particular, the report downplays evidence indicating private vendors, not just OPM employees, were players in the lead up to the breaches.

"The OPM breach was achieved using credentials taken from one of OPM's contractors to disguise its initial movements" into the agency's network, Cummings pointed out in a 21-page memo to committee Democrats on Tuesday.

The report unfairly criticizes Seymour, who Chaffetz had demanded resign even before the investigation started, he added. Seymour resigned in February, after Chaffetz had called for her ouster at least five times, Cummings said.

"The Republican staff report fails to adequately address federal contractors and their role in federal cybersecurity," Cummings said. "The most significant deficiency uncovered during the committee's investigation was the finding that federal cybersecurity is intertwined with government contractors, and that cyber requirements for government contractors are inadequate."

Camille Tuutti contributed reporting.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.