Per­sonal data ob­ject of hacked U.S. com­put­ers

In­ves­ti­ga­tors be­lieve hack­ers sought fed­eral em­ploy­ees’ records for a black­mail scheme.

Los Angeles Times - - FRONT PAGE - By Brian Bennett and Richard A. Ser­rano brian.bennett@la­times.com Twit­ter: @ByBri­anBen­nett richard.ser­rano@la­times.com Twit­ter: @Rick­Ser­ra­noLAT Times staff writ­ers Colin Diers­ing and W.J. Hen­ni­gan in Wash­ing­ton con­trib­uted to this re­port.

In­ves­ti­ga­tion pro­ceeds on the­ory the Chi­nese gov­ern­ment was be­hind the breach.

WASH­ING­TON — The in­ves­ti­ga­tion into the cy­ber­at­tack on com­put­ers at the U.S. Of­fice of Per­son­nel Man­age­ment is pro­ceed­ing on the the­ory that the hack was di­rected by the Chi­nese gov­ern­ment and aimed at un­cov­er­ing sen­si­tive, per­sonal in­for­ma­tion that could have been used to black­mail or bribe gov­ern­ment em­ploy­ees to ob­tain se­crets, of­fi­cials said Fri­day.

So­cial Se­cu­rity num­bers, email ad­dresses, job per­for­mance re­views and other per­sonal in­for­ma­tion of about 4 mil­lion gov­ern­ment work­ers were si­phoned out of the com­puter servers, said the of­fi­cials, who spoke on con­di­tion of anonymity to dis­cuss in­ter­nal as­sess­ments of the breach.

The in­for­ma­tion ob­tained in the attack could be use­ful on its own and also could be used to craft fake emails that would en­tice gov­ern­ment work­ers to open at­tach­ments that would in­fect their com­put­ers with ma­li­cious soft­ware de­signed to bleed ad­di­tional in­for­ma­tion off fed­eral com­put­ers. Com­puter se­cu­rity ex­perts call such at­tacks “spearphish­ing.”

There is no in­di­ca­tion so far that clas­si­fied servers were breached. But the hack­ers were able to pen­e­trate the per­son­nel agency’s net­works for sev­eral months be­fore mon­i­tor­ing tools de­ployed by the Depart­ment of Home­land Se­cu­rity de­tected them. Sim­i­lar in­fil­tra­tions have been con­ducted by Chi­nese and Rus­sian hack­ers over the last year.

“This was not a hack for com­mer­cial in­ter­ests,” a se­nior law en­force­ment of­fi­cial said, con­trast­ing it with cy­ber­at­tacks that have tar­geted cut­ting-edge tech­nol­ogy or man­u­fac­tur­ing spec­i­fi­ca­tions for popular prod­ucts. The attack on the per­son­nel agency car­ried the hall­marks of an in­tel­li­gence op­er­a­tion, of­fi­cials said.

The most re­cent breach was the sec­ond ma­jor lapse at the per­son­nel agency in the last two years. In March 2014, of­fi­cials at the agency dis­cov­ered that Chi­nese hack­ers had en­tered a data­base that tracks the files of fed­eral em­ploy­ees ap­ply­ing for se­cu­rity clear­ances, po­ten­tially valu­able in­for­ma­tion for iden­ti­fy­ing who has ac­cess to U.S. se­crets.

For­eign spy agen­cies have col­lected in­for­ma­tion on U.S. gov­ern­ment em­ploy­ees for decades. In­tel­li­gence agents can use ba­sic bi­o­graph­i­cal de­tails com­bined with in­for­ma­tion kept on com­mer­cial data­bases — such as ar­rest records or credit re­ports — to find po­ten­tial re­cruits who live with crip­pling debt or have legal prob­lems that make them sus­cep­ti­ble to black­mail.

“As an in­tel­li­gence agency there’s a lot of in­for­ma­tion you can de­rive from this,” said Ken Ammon, a for­mer of­fi­cial at the Na­tional Se­cu­rity Agency and now the chief strat­egy of­fi­cer at cy­ber­se­cu­rity com­pany Xceed­ium Inc.

“You can po­ten­tially fig­ure out mis­sions based on who works with who; you can con­duct mis­sions to sub­vert in­di­vid­u­als and cre­ate a spy or an in­sider,” he said. In­for­ma­tion col­lected through hack­ing could al­low for­eign gov­ern­ments look­ing to re­cruit an agent to “pick the tar­get based on fi­nan­cial con­di­tions or other em­bar­rass­ing pri­vate in­for­ma­tion that they would not make avail­able to their fam­i­lies,” he added.

Some ex­perts, how­ever, were skep­ti­cal that the Chi­nese were be­hind the attack and the­o­rized that iden­tity thieves may have made the hack look like the in­fil­tra­tions orig­i­nated in China.

“Most likely, I think the mo­ti­va­tion is crim­i­nal; it could be Chi­nese crim­i­nals,” said Robert Knake, a for­mer direc­tor of cy­ber­se­cu­rity pol­icy at the Na­tional Se­cu­rity Coun­cil and now a se­nior fel­low at the Coun­cil on For­eign Re­la­tions.

The in­for­ma­tion that the attack swept up is not all that valu­able for launch­ing spear-phish­ing at­tacks, he said.

More­over, “if it is in fact true that it was the Chi­nese agency that went af­ter this in­for­ma­tion, it’s a le­git­i­mate tar­get for an in­tel­li­gence com­mu­nity,” Knake said. “It’s not an act of war, it’s not be­yond the pale and it’s cer­tainly not the worst in­ci­dent to ever af­fect the fed­eral gov­ern­ment.”

The Chi­nese For­eign Min­istry did not con­firm or deny in­volve­ment in the hack, but said it had also suf­fered such at­tacks.

“China it­self is also a vic­tim of cy­ber­at­tacks,” min­istry spokesman Hong Lei said Fri­day in Bei­jing. “China res­o­lutely tack­les cy­ber­at­tack ac­tiv­i­ties in all forms.”

The U.S. should not is­sue ac­cu­sa­tions against China, “but in­stead add more trust and co­op­er­at­ing in this field,” he said.

At the White House, spokesman Josh Earnest said that “no con­clu­sions about the at­tri­bu­tion of this par­tic­u­lar attack have been reached at this point.”

But he added, “When it comes to China, the pres­i­dent has fre­quently, in­clud­ing in ev­ery sin­gle meet­ing that he’s con­ducted with the cur­rent Chi­nese pres­i­dent, raised China’s ac­tiv­i­ties in cy­berspace as a sig­nif­i­cant source of con­cern.”

Some law­mak­ers used the hack to push for leg­is­la­tion they say would bet­ter pro­tect U.S. net­works.

“We can­not sit idly by, ac­cept­ing a sit­u­a­tion in which per­sis­tent cy­ber­at­tacks and data in­se­cu­rity are the new norm,” Sen. John McCain (R-Ariz.), chair­man of the Se­nate Armed Ser­vices Com­mit­tee, said in a state­ment Fri­day.

“Our top pri­or­ity must be find­ing ways to de­ter our enemies from at­tack­ing in the first place and end­ing the abil­ity of hack­ers to in­fil­trate, steal and dis­rupt with im­punity,” he said.

Adm. Michael S. Rogers, who leads the U.S. Cy­ber Com­mand and the Na­tional Se­cu­rity Agency, said dur­ing a Se­nate Armed Ser­vices Com­mit­tee hear­ing on March 19 that the na­tion was de­fend­ing its net­works in a “re­ac­tive strat­egy” against for­eign at­tacks.

The gov­ern­ment needed to think about in­ten­si­fy­ing of­fen­sive ca­pa­bil­i­ties, he said. Thus far, he said, Pres­i­dent Obama had not given him the author­ity to deploy of­fen­sive cy­ber­weapons.

“We’re at a tip­ping point,” Rogers said. “We need to think about: How do we in­crease our ca­pac­ity on the of­fen­sive side to get to that point of de­ter­rence?”

“But right now, the level of de­ter­rence is not de­ter­ring?” McCain asked.

“That is true,” Rogers said.

Congress will prob­a­bly con­sider a bill later this year de­signed to en­cour­age com­pa­nies to share more in­for­ma­tion with the gov­ern­ment about cy­ber­at­tacks. The bill would es­tab­lish the Depart­ment of Home­land Se­cu­rity as the agency to re­ceive in­for­ma­tion about at­tacks from busi­nesses and would pro­tect those com­pa­nies from li­a­bil­ity if they came for­ward.

But “data theft, while ex­tremely dam­ag­ing, does not rep­re­sent the worst-case sce­nario,” Rep. Jim Langevin (D-R.I.), co-chair­man of the House Con­gres­sional Cy­ber­se­cu­rity Cau­cus, said in a state­ment. “De­struc­tive ef­fects that once re­quired ki­netic war­fare are now pos­si­ble through a few key­strokes, even on our own soil.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.