5 Jun 2015

US government cyber attack: the key questions

US officials point the finger of blame at China after hackers break into US government computers, compromising the personal data of 4 million current and former federal employees.

China has responded angrily to the suggestion, after the attack on the US government’s Office of Personnel Management (OPM).

What has happened?

As yet unidentified hackers broke into the OPM’s information systems, with the malicious activity detected by the agency in April.

A Department of Homeland Security (DHS) official said the attack hit OPM’s IT systems and its data stored at the Department of the Interior’s data centre – a shared service center for federal agencies.

The DHS has said that at the beginning of May it concluded the agency’s data had been compromised and the data of around 4 million workers may have been affected.

A US law enforcement source told Reuters a “foreign entity or government” was believed to be behind the cyber attack and it was reported on Friday that authorities were looking into a possible Chinese connection.

The OPM is now working with the DHS and FBI to determine the full impact of the cyber attack. The FBI said it “will continue to investigate and hold accountable those who pose a threat in cyberspace”.

Why blame China?

US authorities are reported to be looking into a possible China connection to the OPM breach.

Cyber investigators at iSight Partners have linked the OPM hack to earlier thefts of healthcare records from Anthem, a health insurance company, and Premera Blue Cross, a healthcare services provider – in which tens of millions of records may have been stolen. Several US states were already investigating a Chinese link to the Anthem attack, it has been reported.

All three breaches have one thing in common, said John Hultquist of iSight. He said that while cyber espionage usually focuses on stealing commercial or government secrets, these attacks targeted personally identifiable information.

Though iSight could not confirm that China was behind the attacks, Mr Hultquist said the similar methods, servers and habits of the hackers pointed to a single state-sponsored group.

Chinese hackers were also blamed for penetrating OPM’s computer networks last year.

What does China say about it?

China routinely denies involvement in hacking and a spokesman for the Foreign Ministry in Beijing said suggestions it was involved in the OPM breach were “irresponsible and unscientific.”

Chinese Foreign Ministry spokesman Hong Lei said: “We hope that the US can stop being constantly paranoid and make groundless accusations, but instead show more trust and cooperation in this field.”

What has been stolen?

At this stage the OPM is unable to tell what information has been taken in the attack, only what has been accessed.

According to the Washington Post, agency officials said the hackers had access to information including employees’ social security numbers, job assignments, performance ratings and training information. The OPM declined to comment on whether payroll data was exposed other than to say no direct-deposit information was compromised.

US Department of the Interior

Above: the US Department of the Interior

This information could be sold in the dark web for a range of reasons, but iSight Partners says the data “doesn’t appear to have been monetised and the actors seem to have connections to cyberespionage activity”.

If the culprits are state-sponsored hackers, then it is likely that they are not after money. Philip Lieberman of security software company Lieberman Software said the information could be used to create targeted email attacks, otherwise known as spear phishing, to obtain more confidential data.

Others security experts said, given the data affected included job histories, the information could be used to target other government departments.

“It’s likely this is less about money and more about gaining deeper access to other systems and agencies,” said Mark Bower of HP Security Voltage, a data security company.

What is the OPM about it?

The OPM was already in the process of “an aggressive effort to update its cybersecurity posture”, the agency said. It was because of these new tools that it detected the malicious activity.

Additional security measures have been implemented to protect sensitive data, the OPM said, and over the next couple of weeks it will be emailing the affected individuals with advice on credit monitoring and identity theft protection.

Is the UK at risk from a similar attack?

Mark James, a security specialist at anti-virus firm Eset, said that the data breach at such a high level should concern every government, including the UK’s.

“Any breach of this type of nature has implications worldwide,” he said. “The type of data obtained could be used in advanced phishing techniques to contact or infiltrate other organisations.”

Roy Duckles, channel director for Europe at online security firm Lieberman Software, suggested that given the UK’s position as an ally of the US, similar cyber security practices to those breached in the US could be in place here.

“Should the UK government be concerned, the answer is yes. Don’t forget that friendly nation states often share information both at a domestic and international level and this includes using shared IT practices in many instances.

“If the US can be breached, in what appears to be a very targeted and specific attack, then there is nothing to say that hackers aren’t already in similar networks in the UK government.”