Great Chinese Hack of the United States Government's Personnel Office in 2015
1. The Great 2014 Chinese Hack
of The United States Government’s
Personnel Office
Last Updated 2.4.16
By Dr. Tim Dosemagen
2. Dr. Tim Dosemagen
USAF Cryptologic Analyst during
Carter and Reagan Administrations
3 years intelligence collection in
South Korea; visited North Korea;
conversational in spoken and
written Korean
Temporary duty in Okinawa, Hawaii
2 years instruction in Chinese at
Defense Language Institute,
Monterey, CA; fluent in spoken and
written Chinese
Worked at National Security
Agency’s Ft. Meade Facility during
Reagan Administration
3. East Asian Expertise
5 years living and working in East
Asia (China, Taiwan, Japan, Korea)
13 visits to Taiwan
3 visits to People’s Republic of
China, introduced Dr. Peter F.
Drucker EMBA in Beijing
Lectured in Shanghai on the
ramifications of attacks of 9.11.01
Instructed MBA to USAF pilots at
Misawa AFB, Aomori, Japan
USAF Commendation &
Achievement Medals
Joint Service Achievement Medal
4. The Evolving U.S. – China Relationship
From Big & Little Brothers to Equals
5. Mutual Dependence & Shifting Powers
Chinese ownership of US Debt
US investment in Chinese
businesses and development
Chinese – US military
exchanges
US brain drain of Chinese
citizens
Chinese theft of US intellectual
property
Most Favored Nation Status
6. Balancing Alliances With Russia / USA
A long, common border
Treaty of Nerchinsk
Treat of Amur
War in the 1960s
Great Gas Deal of 2015
Fought US to a draw in the
early 1950s Korean War
Fought US to a defeat in the
1960s/70s Vietnam War
7.
8. PLA Unit 61398
Military Unit Cover Designator
61398, People’s Liberation
Army Advanced Persistent
Threat Unit
Source of Chinese Computing
Hacks
Datong Road, Pudong,
Shanghai, PRC facility
Staffed by 4,000 Agents
Created in 2001
9. Nabbing PLA Unit 61398
The infiltration was discovered
using the United States
Computer Emergency
Readiness Team’s (USCERT’s)
EINSTEIN Intrusion Detection
Program, and it predated the
EINSTEIN deployment, which
began in March, 2014.
The infiltration may have also
been discovered by a product
demonstration of CyFIR, a
commercial forensic product
from Manassas, Virginia
security company CyTech
Services.
10. PLA Unit 61398
Operates under the 2nd Bureau
of the PLA General Staff
Department’s Third
Department.
APT1 – attacks a broad range
of corporations and
government entities around
the world, since at least 2006.
11. PLA Unit 61398
Andy Ozment – US DHS Security
official:
– “The attackers had gained valid user
credentials to the systems they were
attacking, likely through social
engineering.”
Ars Technica:
– “At least one worker with root access to
every row in every database was
physically located in China; another
contractor had two employees with
Chinese passports.”
12. PLA Unit 61398
Indicted by US Federal Grand Jury - 5.19.14, on charges
of theft of information and intellectual property from US
commercial firms, and planting malware in their
computers. One of 20 such groups in the PRC.
Comprised of four large networks in Shanghai, 2 of which
serve the Pudong Area. The 3rd and 4th Departments are
responsible for Electronic Warfare.
Also known as Byzantine Candor.
Also known as The Comment Group.
13.
14. PLA Unit 61398
The group compromises internal software comment features on
legitimate web pages to infiltrate target computers that access
the sites, leading it to be called The Comment Group.
The collective has stolen trade secrets and other confidential
information from numerous foreign businesses and organizations
since 2006, including Lockheed Martin, Telvent, and other
companies in the sectors of Software, Arms, Energy, Finance,
Electronics, Engineering, Aeronautics and Manufacturing.
The group was behind the infamous Operation Shady Rat in 2011,
which saw over 70 organizations targeted - including US,
Canadian, Taiwanese, Vietnamese and United Nations entities.
15. PLA Unit 61398
Five Chinese indicted by DOJ
on 5.19.14:
– Huang Zhenyu
– Wen Xinyu
– Sun Kailiang
– Gu Chunhui
– Wang Dong
All five operated out of the 12
story Datong Road, Pudong,
Shanghai facility.
17. BBC – 6.5.15
“The US says it faces a ‘dedicated adversary’ and an ‘ever
evolving threat’ to the nation’s cyber security, after a
major data breach.”
“The hacking of Federal Government OPM computers
compromised the records of four million current and
former employees.”
“The employees are being told to take precautions,
including close monitoring of bank accounts, credit
reports, and changing online passwords.”
18. BBC – 6.5.15
“We’re worried about identity theft,” said Bryan Sivak, a
former technology officer with the Department of HHS,
“but depending on what information was accessed, I’m
more worried about this information being used to
illegally access various networks or against individuals
directly.”
Every SF-86 Application For A Security Clearance form
was compromised – extremely sensitive data.
19. BBC – 6.5.15
Steve Hodge, former FDA employee: “If anyone had
possession of this information, they could impersonate
me.”
OPM said it became aware of data breach in April, 2015
during an “aggressive effort” to update its Cyber Security
Systems.
OPM serves as the HR Department for the U.S. Federal
Government, issuing Security Clearances and compiling
records of all government employees.
21. OPM Warned Repeatedly
The OPM had been warned multiple times of security
vulnerabilities and failings. A March, 2015, the OPM Office
of the Inspector General semi-annual report to Congress
warned of “persistent deficiencies in OPM’s information
system security program,” including “incomplete security
authorization packages, weaknesses in testing of
information security controls, and inaccurate plans of
action and milestones”.
22. BBC – 6.5.15
What was stolen?
– Sensitive data on former and current employees
– Security Clearances and background checks dating back to 1985.
– Social Security Numbers
– Performance Reviews and Testing
– Birthdays, Addresses, Bank Information and other highly sensitive
personal data
Some of the sensitive personal information could be used to
access critical weapons systems.
24. PRC Foreign Ministry Spokesperson Hua
Chunying’s Press Conference of 7.10.15
Recently there are allegations
from Washington that Chinese
hackers are responsible for
security hackings into the US
Office of Personnel
Management.
What is China’s comment?
25. PRC Foreign Ministry Spokesperson Hua
Chunying’s Press Conference of 7.10.15
“We have stated the Chinese
Government’s principle and
position on the issue of cyber
security many times. All
parties should adopt a
constructive attitude on the
issue.
26. PRC Foreign Ministry Spokesperson Hua
Chunying’s Press Conference of 7.10.15
“It is imperative to stop groundless accusations, step up
consultations to formulate an international code of conduct in
cyberspace and jointly safeguard peace, security, openness and
cooperation of the cyber space through enhanced dialogue and
cooperation in the spirit of mutual respect.”
Translation: You guys do the same thing to us – welcome to the
21st Century.
28. 7% of America’s Personal Information
Business Insider: 7.9.15 – “More than 20 million people
had their personal information stolen when OPM servers
were breached by Chinese hackers last year, sources
close to the agency are reporting.
NYT & Government: 21.5 million
CNN: 22.1 million
ABC & Reuters: 25 million
FBI Director James Comey: 18 million
30. SF-86s
“US Intelligence and Law Enforcement officials are
particularly concerned over the theft of forms known as
SF-86s that current and prospective federal workers,
including certain military personnel, and even contractors
submit for Security Clearances.”
“Experts fear the stolen information could be used by the
Chinese Government to blackmail, exploit, or recruit US
Intelligence Officers, compromising the success and
safety of agents operating at home and abroad.”
32. Worst Breach of Personally Identifying
Information Ever
FBI Director James Comey to a Senate Panel:
– “I’m sure the adversary has my SF-86 now.”
– “My SF-86 lists every place I’ve ever lived since I was 18. Every
foreign travel I’ve ever taken. All of my family (and) their
addresses.”
34. Worst Breach of Personally Identifying
Information Ever
Tinfoil Security CEO Michael Borohovski:
– “The hackers stole SF-86s, which is one of the most extensive
national security questionnaires that exists.”
– “Security-wise, this may be the worst breach of personally
identifying information ever.”
Hackers who infiltrated OPM had access to the agency’s
security clearance system for over a year, giving them
ample time to steal as much information as possible from
OPM’s database of military and intelligence officials.
36. Worst Breach of Personally Identifying
Information Ever
Michael Adams – Special Operations Command computer
security expert:
– “The spies who took the information will know who the best
targets for espionage are in the United States…”
– “The theft includes the results of polygraph tests…which is
really bad, because the goal of government administered
polygraph tests is to uncover any blackmailable information
about it employees before it can be used against them…so its
really a goldmine of blackmail for intruders.”
37. Conclusions
Security experts agree that the biggest problem with the
breach was not the failure to prevent remote break-ins,
but the absence of mechanisms to detect outside
intrusion and the lack of proper encryption of sensitive
data.
OPM CIO Donna Seymour pointed to the agency’s aging
systems as the primary obstacle to putting such
protections in place, despite having encryption tools
available.