Federal authorities are investigating a breach of the computer networks of the Office of Personnel Management, which stores detailed data on up to 5 million U.S. government employees and contractors who hold sensitive security clearances.
Authorities have traced the intrusion to China, but it is not clear whether the hackers worked for the government, said a U.S. official who spoke on the condition of anonymity to discuss an ongoing investigation.
So far, no personal data appears to have been stolen, according to OPM spokeswoman Nathaly Arriola. A U.S. official said the data is encrypted.
Arriola said that the OPM and the Department of Homeland Security were alerted to the breach in mid-March through an automated monitoring system. The intrusion apparently was detected early enough that a DHS computer emergency readiness team, working with the agency, was able to block the intruder and minimize the harm.
The Chinese military has waged a persistent, more than decade-long cyber-campaign to steal all manner of information — from military weapons designs to proprietary data on advanced technologies to insight into government policies — from the computer networks of the U.S. government and its contractors as well as other from other western governments and companies.
News of the breach, first reported by the New York Times, came as senior U.S. officials met in Beijing with their counterparts for the annual Strategic and Economic Dialogue. Secretary of State John F. Kerry said he had been notified of the report only after the dialogue had finished, but he said he had raised the general issue of Chinese targeting of U.S. systems and been “very clear” that it was an area of concern.
Chinese officials steadfastly deny that their government hacks U.S. computers and have pointed to reports based on documents leaked by former National Security Agency contractor Edward Snowden that the United States has compromised the systems of a major Chinese telecommunications equipment company, Huawei.
Former U.S. officials said that if the intruders were successful in siphoning data from the OPM, they would have gained access to a treasure trove of personal information that could enable further attacks. Experts say there are ways around encryption.
The agency operates a computerized program called e-QIP, which processes applications for security clearances, including top secret and higher. Stored in the system are massive amounts of data, including applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends such as college roommates and co-workers. Employees log in using their Social Security numbers.
“If the Chinese government got access to that type of data, it would be a significant breach because the data would allow them to have very detailed information about people who hold very sensitive clearances,” said Shawn Henry, a former executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch.
The data could enable a hacker to craft more sophisticated efforts to send e-mails to government officials aimed at getting them to download malware by posing as people who know them — a technique known as “spearphishing,” said Henry, who is now chief security officer at CrowdStrike, a cybersecurity firm. It could help them gain access to sensitive computer accounts and even potentially conduct a physical attack or attempt extortion, he said.
The hacker could know virtually “every single person who is cleared in the U.S,” said Jacob Olcott of Good Harbor Consulting, a cyber-risk-management company, and a former counsel for the Senate Commerce Committee. “So when they want access to the Energy Department program on such and such, they’ll say, ‘Who do we know there? Let’s send a spearphishing e-mail to get access to their computer.’ ”
U.S. government networks are assaulted daily by hackers — including more than 100 foreign intelligence agencies — trying to breach computer defenses, according to U.S. officials.
The Chinese have had some success. In 2006, Chinese hackers breached the system of a sensitive Commerce Department bureau, forcing it to replace hundreds of workstations and block employees from regular use of the Internet for more than a month. A few months before that, Chinese hackers broke into State Department computers.
In recent years, hackers have penetrated e-mail and other systems at the Defense Department, the Navy and the Environmental Protection Agency. Last year, hackers stole personal data from more than 104,000 people from an Energy Department system.
“This wasn’t the beginning or end of this particular mission,” said Olcott, referring to the attempt on the OPM system. “You have to think of this as another part of a long-term effort to collect data on U.S. government initiatives.”
Simon Denyer from Beijing and
Alice Crites contributed to this report.