Skip to comments.Exclusive: The OPM breach details you haven't seen
Posted on 08/23/2015 6:26:02 PM PDT by markomalley
An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers' calibrated extraction of data and the government's step-by-step response. It illuminates a sequence of events that lawmakers have struggled to pin down in public hearings with Obama administration officials.
The timeline makes clear that the heist of data on 22 million current and former federal employees was one sustained assault rather than two separate intrusions to steal background investigation data and personnel records.
The document, which bears the seals of OPM and the Department of Homeland Security, is dated July 14 and was prepared by federal investigators for the office of U.S. CIO Tony Scott, according to a source familiar with the investigation. The detailed timeline corroborates administration officials' public testimony but is unique in its comprehensiveness and specificity.
According to investigators, hackers likely gained access to OPM's local-area network on May 7, 2014, by stealing credentials and then planting malware and creating a backdoor for exfiltration. Actual exfiltration of data on background investigations did not begin until July 3, 2014, and it continued until August.
In October, the hackers pivoted to the Interior Department data center where OPM's personnel records resided. On Dec. 15, 2014, the intruders siphoned that data away. OPM has said the personnel records of 4.2 million people were comprised in that breach.
According to the timeline, OPM officials did not know they had a problem until April 15, 2015, when the agency discovered "anomalous SSL traffic with [a] decryption tool" implemented in December 2014. OPM then notified DHS' U.S. Computer Emergency Readiness Team, and a forensic investigation began.
The discovery of a threat to the background investigation data led to the finding two days later, on April 17, of a risk to the personnel records. US-CERT made the discovery by loading data on the April 15 incident to Einstein, the department's intrusion-detection system. On April 23, US-CERT spotted signs of the Dec. 15 exfiltration in "historical netflow data," and OPM decided that a major incident had occurred that required notifying Congress.
The timeline does not name the adversary responsible for the breach, but all official signs thus far have pointed to China as a leading suspect. The document is dated weeks after it was public knowledge that hackers had accessed OPM's networks via credentials stolen from contractor KeyPoint Government Solutions. The document does not identify how that happened, however, and instead states: "method of credential acquisition unknown."
When the intrusions were discovered, OPM responded on April 17 by deploying "a predictive malware prevention capability across its networks" to sever the adversary's network access, according to the timeline. By April 24, the hackers had been evicted from OPM systems, and the next day, the document states, the agency used an "advanced host-based security tool to discover, quarantine and eliminate [the] malware." OPM verified the malware was gone on April 30, according to the timeline.
A former DHS official who viewed the document said the seven days the timeline stipulates between the deployment of the anti-malware tool and the supposed eviction of the hackers seemed rather quick.
"It's easier to be definitive about the malware being eradicated than to say the hackers are completely out of the system altogether," the former official said. He added, however, that the document "is consistent with everything that we know to date about the sequence of events that occurred in association with the OPM breach."
A DHS spokesperson also told FCW that the timeline's narrative sounded consistent with previously released details about the breach but declined to comment on the document's provenance or intended audience. Scott did not respond to emails requesting comment on the timeline, and OMB spokespeople could not be reached by phone.
The duration of the infiltration points to an inherent problem with deploying defenses such as Einstein that rely on malware signatures.
"Going after malware is futile when you get 80,000 new variants a day," Mark Seward, a vice president at cyber analytics firm Exabeam, told FCW. Nation-state-backed hackers are capable of cloaking and varying attacks to render them undetectable by tools that rely on recognizing known threats, he added. According to the DHS timeline, adversaries were inside the OPM network for 10 months before their malware signatures were plugged into Einstein.
With the support of DHS Secretary Jeh Johnson, lawmakers have advocated increased deployment of Einstein as a way to shore up agencies' security after the OPM breach. A bill sponsored by Sen. Tom Carper (D-Del.) that would accelerate deployment of the system across government passed the Senate Homeland Security and Governmental Affairs Committee last month. The House passed a related provision in April.
The detailed timeline sheds light on a chain of events that is still murky to some lawmakers. Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, sent a letter this week to US-CERT Director Ann Barron-DiCamillo asking when OPM first contacted her office to report the breach. Chaffetz also requested additional reporting and analysis on the nature of the attack.
This looks like a job for Major Motoko Kusanagi and Public Security Section 9.
Do you understand all of this?
Can you summarize it into just a few lines other than they straight up lied and screwed up? bot are common for this bunch of administration clowns and traitors.
Going after malware is futile when the NSA has guaranteed you can’t secure anything unless you build your own hardware and write your own operating system.
Actually, your best bet is to put everything on a private server and store it in some guy's bathroom. That's the highest level of security possible. No one will ever see your stuff.
Let's try this ... "If you don't give me a simple yes or no I will have the Sgt at Arms arrest you ... "
(from another thread and a different topic, but .... )
"In the past 60 years or so, America has become progressively feminized, and the archetypal warrior male has virtually disappeared. However, some tough ladies have stepped in to fill the vacuum including Phyllis Schlafly, Laura Ingraham, Sarah Palin and Michelle Malkin and many others. But how would any of these wonderful and strong women compete head-to-head in a private conference room with Vladimir Putin, Kim Jong-un of North Korea, or the mullahs and emirs of the volatile Middle East? We have seen how poorly our current girly-man-in-chief, Barack Obama, has dealt with the world of violent supermales out there. From the dawn of time, mutual respect among warrior males is the coin of the realm in these matters."
And even that won’t work unless you’ve got the human security part down.
It’s theatrics. The questioner doesn’t really want the question answered, and the responder obliges.
and encase the whole setup in a Faraday cage and never plug into a network
>>The timeline makes clear that the heist of data on 22 million current and former federal employees was one sustained assault rather than two separate intrusions to steal background investigation data and personnel records. <<
To me this looks like a well planned hit. OPM Management hired Muslims who had been specially trained to work with the computer system. They worked on the job for a few months, determined how to get all the data the needed, then formulated a plan and guess what it worked. Valerie Jarret got a substantial bonus in her next pay check.
Trump is right. We are stupid! Hiring Muslims to work in our government agencies is stupid.
Which of us peasants, facing an inquiry from the authorities about our own similar behavior, would be able to walk away after giving a condescending throwaway response and a shrug?
Someone stole network access security credential in April 2014.
They planted a bug at some point and started siphoning off background check data in July 2014.
They made a huge download in December 2014.
They didn’t get caught so they kept going.
No one noticed a thing until April 2015.
Summary - they were inside for a full year before they were cut off. And according to reports we still don’t know how they stole the credentials they used to plant the bugs.
Result: massive system failure allowing sensitive background data on 20+ million persons subject to security clearance.
sooo why is this all about what they stole rather then say... what they could have put in....
How many Chinese agents now have Top secret clearances on record?
And it was a chinese contractor? That is the rumor or statement... I can never tell which is which these days.
Widely reported ported but unconfirmed to be the ChiComs
Active Duty ping.
Because the easiest thing is to look through all those background investigations and find people with interesting things in their past, things that the government knows about now but others might not. Blackmail. Things that might indicate a liking for living the high life. Bribery. And so on.
The term is 'social engineering' and the Chicoms have access to the greatest trove of candidates for targeting in history.
NSA has guaranteed you cant secure anything unless you build your own hardware and write your own operating system.
Hitlery will probably use that and get away with it.
wipe often, with a cloth or something.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.