Hackers who infiltrated the Office of Personnel Management (OPM) had access to the agency’s security clearance computer system for over a year, giving them ample time to steal as much information as possible from OPM’s database of military and intelligence officials, the Washington Post has reported.
“The longer you have to exfiltrate the data, the more you can take,” Stewart Baker, a former National Security Agency general counsel, told the Post.
“If you’ve got a year to map the network, to look at the file structures, to consult with experts and then go in and pack up stuff, you’re not going to miss the most valuable files.”
The breach itself occurred in June or July 2014, more than a year before it was discovered and made public by administration officials.
Initial estimates put the number of people affected at around 4 million, but a government worker’s union has insisted that as many as 14 million federal employees may have had their sensitive security clearance and background information stolen in the breach.
This higher figure makes sense given recent revelations about how long the hackers were able to remain in OPM’s system undetected — a long-observed tactic of Chinese hackers, who have been known to infiltrate servers and maintain their access for a year or more to quietly spy on their targets.
“The average time Chinese hackers have access to a compromised system is 356 days and the longest recorded was 4 years and 10 months,” Mark Wuergler, a senior cybersecurity researcher at Immunity Inc., told Business Insider, citing research published in a 2013 Mandiant report that tracked high-profile Chinese hacking groups.
“They are really good at what they do, and when they break into something it’s not just smash and grab,” Wuergler said.
Sophisticated attackers, he notes, “might also play a psychological game” by making the forensic researchers reacting to the breach think they have successfully expelled them from the system, allowing hackers to remain embedded without fear of further detection.
Jeffrey Wagner, OPM director of information technology security operations, told the Post that the first breach of OPM’s security clearance system in early 2014 did not result in any theft of data.
“We were actually able to stop” the hackers before they took any information, he said.
The hackers’ second attempt in mid-2014, however, proved successful, indicating that “China may have never left the OPM’s system in the first place,” Wuergler noted.
The news that hackers remained in OPM’s system for over a year follows reports that contractors in Argentina and China were given “direct access to every row of data in every database” when they were hired by the Office of Personnel Management (OPM) to manage the personnel records of federal employees.
Experts and politicians are now lambasting the US government for the way agency handled IT security.
“OPM is right in general that encryption is not magic security butter,” Dave Aitel, CEO of cybersecurity firm Immunity Inc., told Business Insider. “But the committee is also right in that OPM was massively negligent.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.