It turns out the recent massive data theft at the U.S. Office of Personnel Management is just the tip of the iceberg. According to a Wednesday report from Bloomberg, U.S. intelligence has only recently figured out that the OPM cyber-attack was just one of a series of thefts of personal data about Americans. Knowledgeable sources in the American intelligence community said that investigators have now connected multiple network intrusions over the last couple of years as a part of a coordinated campaign to gather detailed personal data on key American government and military personnel.
Several intelligence sources have noted that the Chinese government was very probably behind the OPM attack, a charge China continues to deny.
China’s personnel data theft scheme began in 2013
According to Laura Galante, manager of threat intelligence for FireEye, a security firm investigating the recent cyber-attacks, China’s ongoing personal data collection campaign began in early 2013 with travel records.
Within a year or so, it was obvious that the hackers were trying to steal health records, Social Security numbers and any other personal information on Americans they could get their hands on. Experts point out this is a notable departure from China’s past espionage operations that were aimed at stealing military and civilian technology.
“There was a clear and apparent shift,” noted Jordan Berry, an analyst at FireEye.
That said, recognizing the problem came too late for quite a few of the victims. Cyber security firms report off the record that health care-related firms are spending tens of millions of dollars over the last year or so for a major upgrade of the IT networks, but in many cases, the bulk of the data is already gone.
A person familiar with the government assessment of what went wrong says that U.S. intelligence agencies were investigating the theft of personal data from health care firms and elsewhere, but did not put together it all together, especially the scope and damage from the large-scale Chinese hacking campaign.
The source pointed out that for the last couple of years, most of the attention of U.S. intelligence agencies was focused on preventing extremely dangerous cyber-attacks such as those trying to disrupt critical infrastructure like power grids, financial markets or internet backbones.
Cybersecurity analysts say that hackers penetrated health-insurer Anthem’s network for at least 10 months before they were detected, according to a knowledgeable insider. The health insurer disclosed in February of this year that hackers very likely stole personal data for more than 80 million people.
Health insurers Premera Blue Cross, based in Washington state, and Carefirst Inc., of Maryland, also disclosed they had been attacked May of this year, making them the most recent known victims of China’s personal data hacking campaign.
More on OPM hack
The ongoing investigation has revealed that the attackers first began accessing documents on how to configure servers at the Office of Personnel Management in November of 2013. However, the data theft was not noticed for four months until March of 2014, according to Donna Seymour, OPM’s chief information officer, who was speaking to a Congressional committee in June. Amazingly, the attackers came back again in June of 2014, and were not discovered until April of this year.
She explained that the first break in allowed hackers access to details regarding OPM’s servers and IT, which gave the hackers the tools they needed to undertake the second network break in.
Also of note, U.S. Investigative Services reported in August of 2014 that it had suffered a network intrusion, and a break in at KeyPoint Government Solutions was announced in December of 2014. Investigators are not sure just how long the hackers had access to the organizations’ networks.
Personnel data very useful for intelligence
Security experts highlight that health-care, financial and employment data definitely has espionage value. That kind of information can be used in targeted intelligence operations to more permanently occupy U.S. networks or even blackmail government officials, noted Republican representative Michael McCaul, who is chairman of the House Homeland Security Committee.
FireEye, ThreatConnect and other cybersecurity firms say the tactics used in the attacks clearly suggest the hackers were based in China, and the signs are consistent with Chinese government espionage. Director of National Intelligence James Clapper commented a few weeks ago that China was “the leading suspect.” Clapper even gave the Chinese hackers props for the sophistication of their attacks.