Signs of OPM Hack Turn Up at Another Federal Agency

The discovery suggests the breadth of one of the most damaging cyberassaults known is wider than officials have disclosed.

The National Archives Building in Washington, DC.
National Journal
Aliya Sternstein, Nextgov
Add to Briefcase
Aliya Sternstein, NextGov
June 23, 2015, 3:52 a.m.

The National Archives and Records Administration recently detected unauthorized activity on three desktops indicative of the same hack that extracted sensitive details on millions of current and former federal employees, government officials said Monday. The revelation suggests the breadth of one of the most damaging cyberassaults known is wider than officials have disclosed. 

The National Archives’ own intrusion-prevention technology successfully spotted the so-called indicators of compromise during a scan this spring, said a source involved in the investigation, who was not authorized to speak publicly about the incident. The discovery was made soon after the Homeland Security Department’s U.S. Computer Emergency Readiness Team published signs of the wider attack—which targeted the Office of Personnel Management—to look for at agencies, according to NARA. 

It is unclear when NARA computers were breached. Suspected Chinese-sponsored cyberspies reportedly had been inside OPM’s networks for a year before the agency discovered what happened in April. Subsequently, the government uncovered a related attack against OPM that mined biographical information on individuals who have filed background investigation forms to access classified secrets.

The National Archives has found no evidence intruders obtained “administrative access,” or took control, of systems, but files were found in places they did not belong, the investigator said. 

NARA “systems” and “applications” were not compromised, National Archives spokeswoman Laura Diachenko emphasized to Nextgov, “but we detected IOCs”—indicators of compromise—”on three workstations, which were cleaned and reimaged,” or reinstalled. 

“Other files found seemed to be legitimate,” such as those from a Microsoft website, she said. “We have requested further guidance from US-CERT on how to deal with these” and are still awaiting guidance on how to proceed. 

It will take additional forensics assessments to determine whether attackers ever “owned” the National Archives computers, the investigator said. 

Diachenko said, “Continued analysis with our monitoring and forensic tools has not detected any activity associated with a hack,” including alerts from the latest version of a government-wide network-monitoring tool called EINSTEIN 3A.

EINSTEIN, like NARA’s own intrusion-prevention tool, is now configured to detect the tell-tale signs of the OPM attack.

“OPM isn’t the only agency getting probed by this group,” said John Prisco, president of security provider Triumphant, the company that developed the National Archives’ tool. “It could be happening in lots of other agencies.”

Prisco said he learned of the incident at a security-industry conference June 9, from an agency official the company has worked with for years.

“They told us that they were really happy because we stopped the OPM attack in their agency,” Prisco said.

The malicious operation tries to open up ports to the Internet, so it can excise information, Prisco said.

“It’s doing exploration work laterally throughout the network, and then it’s looking for a way to communicate what it finds back to its server,” he added.

Homeland Security officials on Monday would not confirm or deny the situation at the National Archives. DHS spokesman S.Y. Lee referred to the department’s earlier statement about the OPM hack: “DHS has shared information regarding the potential incident with all federal chief information officers to ensure that all agencies have the knowledge they need to defend against this cybersecurity incident.”

The assault on OPM represents the seventh raid on national-security-sensitive or federal-personnel information over the past year.

Well-funded hackers penetrated systems at the State Department, White House, U.S. Postal Service, and, in March 2014, OPM. Intruders also broke into networks twice at KeyPoint Government Solutions, an OPM background-check provider, and once at USIS (U.S. Investigation Services), which conducted most of OPM’s employee investigations until last summer.

On Wednesday, the House Oversight and Government Reform Committee is scheduled to hold a hearing on the OPM incident that, among other things, will examine the possibility that hackers got into the agency’s systems by using details taken from the contractors.

What We're Following See More »
FIRST CHARGE FOR MIDTERMS
DOJ Charges Russian For Meddling In 2018 Midterms
3 hours ago
THE LATEST

"The Justice Department on Friday charged a Russian woman for her alleged role in a conspiracy to interfere with the 2018 U.S. election, marking the first criminal case prosecutors have brought against a foreign national for interfering in the upcoming midterms. Elena Khusyaynova, 44, was charged with conspiracy to defraud the United States. Prosecutors said she managed the finances of 'Project Lakhta,' a foreign influence operation they said was designed 'to sow discord in the U.S. political system' by pushing arguments and misinformation online about a host of divisive political issues, including immigration, the Confederate flag, gun control and the National Football League national-anthem protests."

Source:
TO IMPROVE RELATIONS WITH NORTH KOREA
U.S. Cancels Military Exercise With South Korea
4 hours ago
THE LATEST

The United States and South Korea have suspended "another major joint military exercise to give the diplomatic process with North Korea 'every opportunity to continue.'" Exercise Vigilant Ace, which last year "involved 12,000 US troops and some 230 military aircraft from the US and South Korea," was due to take place in December. Trump has canceled other operations in the past, which Gen. Robert Abrams said "had resulted in a 'slight degradation' to the readiness of US and Korean troops," but were a "prudent risk" to improve improve relations with Pyongyang.

Source:
STILL SKIPPING "DAVOS IN THE DESERT"
Mnuchin to Attend Saudi Terror Financing Meeting
6 hours ago
THE LATEST

"Treasury Secretary Steven Mnuchin has decided to take part in an anti-terror finance meeting with Saudi security officials and their Middle Eastern counterparts in Riyadh later this month, opting to attend despite growing global outrage over the suspected murder of a U.S.-based journalist at the hands of Saudi operatives, according to three people familiar with his travel plans. The security gathering next week is separate from a Riyadh financial summit that Mnuchin announced on Thursday he would not attend."

ACCUSED OF HIDING DOCUMENTS ABOUT NASSAR'S ABUSE
Ex-USA Gymnastics CEO Indicted For Tampering With Sexual Assault Evidence
7 hours ago
THE DETAILS

"Steve Penny, the former president and CEO of USA Gymnastics, has been indicted on a felony count of tampering with evidence" in the sexual assault case against disgraced USA gymnastics physician Larry Nassar. Nassar was found guilty in January of sexually abusing dozens of young gymnasts, and was sentenced to 40 to 175 years in prison. Penny, who was arrested on Wednesday in Gatlinburg, Tennessee, "is accused of ordering the removal of documents from the Karolyi Ranch in Texas," where much of Nassar's abuse occurred.

Source:
HE MAY NOT AUTHOR A LARGE, SWEEPING NARRATIVE
Public May Not See Mueller Report
8 hours ago
THE LATEST

Defense attorneys involved in the Mueller probe say the public "shouldn’t expect a comprehensive and presidency-wrecking account of Kremlin meddling and alleged obstruction of justice by Trump — not to mention an explanation of the myriad subplots that have bedeviled lawmakers, journalists and amateur Mueller sleuths. ... Perhaps most unsatisfying: Mueller’s findings may never even see the light of day."

Source:
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login