Following the massive breach of the federal government which led to millions of sensitive documents being stolen on current and former U.S. government employees has been blamed on a set of organized Chinese hackers, not the same government-based hackers that have been accused in past U.S. data breaches.
Washington has not yet publicly accused China of being the culprit of the data breach at the U.S. Office of Personnel Management (OPM), yet China has already dismissed current accusations, stating they are “irresponsible and unscientific.”
According to Reuters, hackers were able to compromise government systems with a rare tool that can take remote control over computers, dubbed Sakula, which was also used to cause the catastrophic breach affecting U.S. health insurer Anthem Inc just last year.
According to a set of researchers, the Anthem attack was attributed to hackers affiliated with China’s Ministry of State Security, which focuses on government stability, counter-intelligence and dissidents. However, researchers aren’t entirely certain which part of the Chinese government is responsible for the federal OPM breach.
U.S. Investigators close to the case said they believe hackers registered the deceptive domain named ‘OPM-Learning.org’ in an attempt to steal employee credentials. Anthem, formally known as Wellpoint was also abused in the breach, as hackers registered the domain We11point.com, replacing the letter “L” with the number one. Hackers then continued to send out phishing emails in hopes of fooling an employee to hand their password over.
Both the Anthem and OPM breaches were compromised by malicious software electronically signed as safe from a certificate stolen from DTOPTOOLZ, a Korean software company that claims they have no involvement with the hackers or data breaches.
“We are seeing a group that is only targeting personal information,” said Laura Galante, manager of threat intelligence at FireEye Inc, a security firm who has worked on a number of high-profile intrusions. However, other security firms believe differently, stating that hackers are only concerned with stealing defense and industry trade secrets.
The federal OPM breach gave hackers access to millions of sensitive documents, including government job applicants’ security clearance forms detailing drug use, love affairs and foreign contacts. One government worker believes the OPM breach could affect over 14 million government staffers.
OPM Breach Worsens
Newly revealed evidence identified hackers breached the agency’s security clearance computer system last year, giving hackers more than enough time to accurately scope out and steal as much information as possible from the OPM database, the Washingtonpost reported.
Alleged Chinese hackers initially breached the network around June or July 2014, more than a year before officials were notified and made the information public.
“The average time Chinese hackers have access to a compromised system is 356 days and the longest recorded was 4 years and 10 months,” Mark Wuergler, a senior cybersecurity researcher at Immunity Inc. told BusinessInsider, citing a 2013 Mandiant report that tracked high-profile Chinese-based hacking groups.
“They are really good at what they do, and when they break into something it’s not just smash and grab,” Wuergler added.
Chinese hackers tried breaking into government systems in early 2014 and failed, as the government was able to spot and successfully mitigate the threat before any information was stolen. However, their second attempt in mid-2014 proved successful, leading to the massive OPM breach the federal government is dealing with today.
News that Chinese hackers were on government systems for over a year follow recent reports that state Argentinian and Chinese contractors were given “direct access to every row of data in every database” when hired by the OPM to manage personnel records for federal workers.
Wuergler believes sophisticated attackers may “play a psychological game” with forensic analysts investigating the breach, leading them to believe they successfully removed hackers from the network, while hackers remain silently embedded within the systems avoiding detection.