The government is worried that hackers who raided more than 4 million federal employment files will use their loot to pry into more-secure computers and plunder secrets about the U.S. military, economic strategy or foreign relations.
Federal officials said Friday the cyberattack appeared to have originated in China, but they didn’t point fingers directly at the Chinese government. The Chinese said any such accusation would be “irresponsible and unscientific.”
Federal employees were told in a video to change all their passwords, put fraud alerts on their credit reports and watch for attempts by foreign intelligence services to exploit them. That message came from Dan Payne, a senior counterintelligence official for the Director of National Intelligence.
“Some of you may think that you are not of interest because you don’t have access to classified information,” he said. “You are mistaken.”
White House spokesman Josh Earnest said he couldn’t divulge much while the case was under investigation. Still, he noted that investigators “are aware of the threat that is emanating from China.”
One U.S. official said the breach was being investigated as a national security matter, suggesting authorities believe a nation was behind it rather than a more loosely organized gang of cybercriminals. The official was not authorized to discuss an ongoing investigation and spoke only on condition of anonymity.
The break-in is an embarrassing showing for the U.S. government’s vaunted computer-defense system for civilian agencies – dubbed “Einstein” – which is costing $376 million this year alone. It’s supposed to detect unusual Internet traffic that might reflect hacking attempts or stolen data being transmitted outside the government.
This latest breach occurred in December but wasn’t discovered until April, officials say. It was made public Thursday.
‘'The scale of it is just staggering,” said Rep. Adam Schiff, D-Calif., top Democrat on the House Intelligence Committee. There’s no telling how many more attacks could be spawned by the information stolen in this case, he said.
Although most Americans think of identity thieves stealing from credit card or bank accounts, the information about civilian federal workers has other value for foreign spies.
“They’re able to identify people who are in positions with access to significant national security information and can use personal data to target those individuals,” said Payne, the counterintelligence official.
He said details from personnel files could be used to craft personalized phony messages to trick workers. Federal employees who think they’re opening an email from co-workers or family members might infect their computers with a program that would steal more information or install spy software.
Spies also could use details about an employee’s interests or background to befriend them and try to manipulate them into revealing secrets.
Kevin Mitnick, a former hacker who now runs Mitnick Security Consulting of Las Vegas, called confidential details about federal employees “a gold mine.”
“What’s the weakest link in security?” Mitnick said. “The human. Now you know all about your target.”
The hackers may have made off with even more information about workers who undergo security clearance background checks. That information includes the names of family, neighbors, even old bosses and teachers, as well as reports on vices, arrests and foreign contacts.
However, OPM spokesman Samuel Schumach said there was no evidence to suggest that security clearance information collected by OPM was compromised. It’s stored separately from routine personnel files, he said.
“The kind of data that may have been compromised in this incident could include name, Social Security Number, date and place of birth, job assignments, training files, performance ratings and current and former addresses,” Schumach said in an email.
The breach occurred at a network maintained by the Department of Interior, which also houses the personnel agency’s files. Schumach said agencies share computer systems partly to save money – and it’s also supposed to strengthen security.
Security experts said the hackers may have gone after the personnel agency because it’s an easier target than the Pentagon or National Security Agency.
It’s probably “about gaining deeper access to other systems and agencies,” said Mark Bower, the global director of HP Inc.’s Security Voltage unit, so the hackers can go after military, economic or foreign policy plans.
Private cybersecurity researchers said they believe the personnel agency was targeted by the same hackers who got into the Anthem and Primera health insurance groups last year.
John Hultquist, head of cyberespionage intelligence at iSight, said the Dallas-based security firm had found evidence linking the two attacks, but declined to say whom they suspect. “We think they are creating a database they can leverage for follow-on espionage,” Hultquist said.
A spokesman for the Director of National Intelligence declined to discuss whether there was evidence against China or whether intelligence agency employees were among those whose information was compromised.
The National Security Agency and the FBI have improved their ability to attribute cyberattacks in recent years, officials have said. Often, Chinese cyberattacks have identifiable signatures, including the types of malware used. The NSA also uses its more traditional intelligence gathering methods to trace the origins of cyberattacks including intercepting the phone calls and emails of the hackers.
The Homeland Security Department said it used Einstein to confirm the breach. But that’s the equivalent of a smoke alarm sounding after the house burned down.
After the fact, Einstein helped investigators understand how the break-in happened and its extraordinary scale, and to protect against a repeat of a similar attempt.
“It didn’t fare so well,” said James Lewis, a leading cybersecurity expert at the Center for Strategic and International Studies, a Washington think-tank. “It’s only a victory if you defeat the opponent, and we didn’t.”
Associated Press writers Kevin Freking, Brandon Bailey, Raphael Satter, Jim Kuhnhenn, Darlene Superville and Connie Cass contributed to this report.