China hackers dug deeply into U.S. files
For more than five years, U.S. intelligence agencies followed several groups of Chinese hackers who were systematically draining information from defense contractors, energy firms and electronics makers, their targets shifting to fit Beijing’s latest economic priorities.
But last summer, officials lost the trail as some of the hackers changed focus again, burrowing deep into U.S. government computer systems that contain vast troves of personnel data, according to U.S. officials briefed on a federal investigation into the attack and private security experts. Mimicked credentials
Undetected for nearly a year, the Chinese intruders executed a sophisticated attack that gave them “administrator privileges” into the computer net- works at the Office of Personnel Management, mimicking the credentials of people who run the agency’s systems, two senior administration officials said. The hackers began siphoning out a rush of data after constructing what amounted to an electronic pipeline that led back to China, investigators told Congress last week in classified briefings.
Much of the personnel data had been stored in the lightly protected systems of the Interior Department because it had cheap, available space for digital data storage. The hackers’ ultimate target: the 1 million or so federal employees and contractors who have filled out a form known as SF86, which is stored in a different computer bank and details personal, financial and medical histories for anyone seeking a security clearance. ‘Classic espionage’
“This was classic espionage, just on a scale we’ve never seen before from a traditional adversary,” one senior administration official said. “And it’s not a satisfactory answer to say, ‘We found it and stopped it,’ when we should have seen it coming years ago.”
The administration is urgently working to determine what other agencies are storing similarly sensitive information with weak protections. Officials would not identify their top concerns, but an audit issued early last year, before the Chinese attacks, harshly criticized lax security at agencies including the Internal Revenue Service and the Nuclear Regulatory Commission.
At the Nuclear Regulatory Commission, which regulates nuclear facilities, information about crucial components was left on unsecured network drives, and the agency lost track of laptops with critical data.
Computers at the IRS allowed employees to use weak passwords like “password.”
“We are not where we need to be in terms of federal cybersecurity,” said Lisa Monaco, President Barack Obama’s homeland security adviser. At an Aspen Institute conference in Washington on Tuesday, she blamed outof-date “legacy systems” that have not been updated for a modern, networked world where remote access is routine. The systems are not continuously monitored to know who is online, and what kind of data they are shipping out. Hit insurance firms
Federal and private investigators piecing together the attacks now say they believe the same groups responsible for the attacks on the personnel office and the contractor had previously intruded on computer networks at health insurance companies, notably Anthem Inc. and Premera Blue Cross.
What those attacks had in common was the theft of millions of pieces of valuable personal data — including Social Security numbers — that have never shown up on black markets, where such information can fetch a high price. That could be an indicator of state sponsorship, according to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
Obama and his aides have described the Chinese hackers in the government records case only to members of Congress in classified hearings. Blaming the Chinese in public could affect cooperation on limiting the Iranian nuclear program and tensions with China’s Asian neighbors. Digital fingerprints
Though their targets have changed over time, the hackers’ digital fingerprints stayed much the same. That allowed analysts at the National Security Agency and the FBI to periodically catch glimpses of their movements as they breached an ever more diverse array of computer networks.
A congressional report issued in February 2014 by the Republican staff of the Senate Homeland Security Committee, concluded that multiple federal agencies with responsibility for critical infrastructure and holding vast amounts of information “continue to leave themselves vulnerable, often by failing to take the most basic steps towards securing their systems and information.”