The recently disclosed breach of the Office of Personnel Management’s security-clearance computer system took place a year ago, giving Chinese government intruders access to sensitive data for a year, according to new information.
The considerable lag time between breach and discovery means that the adversary had more time to pull off a cyber-heist of consequence, said Stewart Baker, a former National Security Agency general counsel.
“The longer you have to exfiltrate the data, the more you can take,” he said. “If you’ve got a year to map the network, to look at the file structures, to consult with experts and then go in and pack up stuff, you’re not going to miss the most valuable files.”
The compromise of the system was discovered early this month and dates back to June or early July 2014, agency officials said. The network holds a wealth of personal, family and financial details on millions of current, former and prospective federal employees and contractors.
“This is some of the most sensitive non-classified information I could imagine the Chinese getting access to,” said Baker, who also is a former senior policy official in the Department of Homeland Security.
The discovery of that breach followed the detection in April of the compromise of a personnel database containing Social Security numbers and other personal information of 4.1 million current and former federal employees. That hack dates back to December, officials said.
In the case of the personnel database, the time between breach and discovery was four months — much shorter than the one-year interval for the security clearance system.
OPM officials are still trying to determine how much data was actually stolen and who was affected. The background-check system is complex and antiquated, made up of many databases and fed by numerous agencies. OPM emphasized that it has tried since last year to put in place stronger detection and prevention. Some U.S. officials say OPM has been stymied by bureaucratic hurdles.
The Obama administration has not publicly named the suspected perpetrator of the intrusions. But U.S. officials, speaking privately, have said it is the Chinese government.
Jeffrey Wagner, OPM director of information technology security operations, said a breach of that same security clearance system last year, which drew front-page headlines, did not result in any theft of data. “We were actually able to stop” the hackers before they took any information, he said in an interview Thursday.
But the agency was not able to prevent a different group of Chinese government hackers from successfully penetrating the same network a few months later, said officials with knowledge of the probe. Investigators determined they were a separate group because the tactics and techniques were different, the officials said.
Senior U.S. officials have said that the Chinese have begun in the last 12 to 18 months to build vast databases of Americans’ personal information for counterintelligence purposes. They have gone after such data contained not only in federal networks, but in systems belonging to health-insurance giants such as Anthem.
The breach details come as OPM leadership is under fire for its handling of a succession of network hacks over the last year and a half. The chairman of the House Oversight and Government Reform Committee, Rep. Jason Chaffetz (R-Utah), has called for the resignation of the agency’s director, Katherine Archuleta.
Under Archuleta, Wagner said, the agency in February 2014 began a program to identify vulnerabilities in the agency’s aging computer systems — some date to 1985 — and to modernize the network.
The following month, in March 2014, the Department of Homeland Security notified OPM of the first hack of the security clearance database. In May that year, the agency did a “remediation Big Bang,” Wagner said, to try to make improvements to the system.
But one challenge was a bureaucracy that made it difficult to buy security tools quickly, officials said. “OPM can’t get through government procurement that fast,” said a U.S. official, who was not authorized to speak for the record.
Agency officials addressed a controversy involving a cybersecurity firm called CyTech Services Inc. In an article published last week, anonymous sources told the Wall Street Journal that CyTech — not OPM — discovered the breach of the agency’s network through a product demonstration.
In fact, Wagner said, OPM discovered the malicious software — the tip-off that a breach has occurred — on April 15, six days before CyTech’s product demonstration, using a different firm’s software. That malware was found on a server that had access to the security clearance database.
Wagner said CyTech knew that OPM had already identified the malware. “I gave them the list of malware,” he said. “They were able to identify” the same malware, he said.
Wagner said he was “a bit shocked” by CyTech’s statement. He said in speaking to the firm, its position was “from our perception, we discovered this.”
That, he said, “created a new phrase for me: A misconception is a perception.”
In its investigation, OPM identified traffic moving to suspicious Web sites or domains that were not known. One of the domains was opm.security.org.
“That was not a legitimate domain for OPM,” Wagner said. That was the first indication that something was amiss, he said.
The malware OPM discovered was a never-before-seen variant of the malware known as PlugX, officials with knowledge of the probe said. It was shared with the FBI and the National Security Agency, they said.
The breach of OPM’s network occurred through the theft of login and password data for an employee of KeyPoint Government Solutions, an OPM contractor, sometime before last October, officials said. It is not clear if that theft was related to a hack of KeyPoint that was reported last year, they said.
OPM officials sought to defend their efforts. “The only reason we even found these breaches was because of Director Archuleta’s strategic plan, which she put in place within her first 100 days,” spokesman Samuel Schumach said.