The National Archives and Records Administration recently detected unauthorized activity on three desktops indicative of the same hack that extracted sensitive details on millions of current and former federal employees, government officials said Monday. The revelation suggests the breadth of one of the most damaging cyberassaults known is wider than officials have disclosed.
The National Archives’ own intrusion-prevention technology successfully spotted the so-called indicators of compromise during a scan this spring, said a source involved in the investigation, who was not authorized to speak publicly about the incident. The discovery was made soon after the Homeland Security Department’s U.S. Computer Emergency Readiness Team published signs of the wider attack—which targeted the Office of Personnel Management—to look for at agencies, according to NARA.
It is unclear when NARA computers were breached. Suspected Chinese-sponsored cyberspies reportedly had been inside OPM’s networks for a year before the agency discovered what happened in April. Subsequently, the government uncovered a related attack against OPM that mined biographical information on individuals who have filed background investigation forms to access classified secrets.
The National Archives has found no evidence intruders obtained “administrative access,” or took control, of systems, but files were found in places they did not belong, the investigator said.
NARA “systems” and “applications” were not compromised, National Archives spokeswoman Laura Diachenko emphasized to Nextgov, “but we detected IOCs”—indicators of compromise—”on three workstations, which were cleaned and reimaged,” or reinstalled.
“Other files found seemed to be legitimate,” such as those from a Microsoft website, she said. “We have requested further guidance from US-CERT on how to deal with these” and are still awaiting guidance on how to proceed.
It will take additional forensics assessments to determine whether attackers ever “owned” the National Archives computers, the investigator said.
Diachenko said, “Continued analysis with our monitoring and forensic tools has not detected any activity associated with a hack,” including alerts from the latest version of a government-wide network-monitoring tool called EINSTEIN 3A.
EINSTEIN, like NARA’s own intrusion-prevention tool, is now configured to detect the tell-tale signs of the OPM attack.
“OPM isn’t the only agency getting probed by this group,” said John Prisco, president of security provider Triumphant, the company that developed the National Archives’ tool. “It could be happening in lots of other agencies.”
Prisco said he learned of the incident at a security-industry conference June 9, from an agency official the company has worked with for years.
“They told us that they were really happy because we stopped the OPM attack in their agency,” Prisco said.
The malicious operation tries to open up ports to the Internet, so it can excise information, Prisco said.
“It’s doing exploration work laterally throughout the network, and then it’s looking for a way to communicate what it finds back to its server,” he added.
Homeland Security officials on Monday would not confirm or deny the situation at the National Archives. DHS spokesman S.Y. Lee referred to the department’s earlier statement about the OPM hack: “DHS has shared information regarding the potential incident with all federal chief information officers to ensure that all agencies have the knowledge they need to defend against this cybersecurity incident.”
The assault on OPM represents the seventh raid on national-security-sensitive or federal-personnel information over the past year.
Well-funded hackers penetrated systems at the State Department, White House, U.S. Postal Service, and, in March 2014, OPM. Intruders also broke into networks twice at KeyPoint Government Solutions, an OPM background-check provider, and once at USIS (U.S. Investigation Services), which conducted most of OPM’s employee investigations until last summer.
On Wednesday, the House Oversight and Government Reform Committee is scheduled to hold a hearing on the OPM incident that, among other things, will examine the possibility that hackers got into the agency’s systems by using details taken from the contractors.
What We're Following See More »
Until last month, National Security Advisor John Bolton chaired the New York-based nonprofit Gatestone Institute, which promoted "misleading and false anti-Muslim news." The group published articles warning of a looming “jihadist takeover” of Europe leading to a “Great White Death," alleged that “no-go zones” existing in Europe due to violence from Muslim migrants, and published one story called: “Rape Capital of the West," which focused on Somali migrants in Sweden. The research, which was occasionally amplified by Russian media outlets and Twitter bots, also criticized mainstream European leaders for failing to confront the so-called crisis.
"Armenian Prime Minister Serzh Sargsyan has resigned following days of large-scale street protests against him." Sargsyan had previously served 10 years as President, and protestors accused him of clinging to power. "In 2015, Armenians voted in a referendum to shift the country from a presidential to a parliamentary system, stripping powers from the president and giving them to the prime minister." Sargsyan's government has also been criticized for failing to ease tensions with Azerbaijan and Turkey, and "for its close ties to Russia, whose leader Vladimir Putin also moved between the positions of president and prime minister to maintain his grip on power."
President Trump "welcomes French President Emmanuel Macron the White House" today to begin a three-day state visit "expected to be dominated by U.S.-European differences on the Iran nuclear deal and souring trade relations." Trump has vowed to scrap the Iran nuclear deal "unless European allies strengthen it by mid-May." After meetings on Monday and Tuesday, Macron will address Congress on Wednesday, "the anniversary of the day that French General Charles de Gaulle addressed a Joint Session of Congress in 1960."
"A sheriff in Illinois says Travis Reinking," the suspect in a mass shooting that killed four people in a Tennessee Waffle House on Sunday, had his state firearms card revoked last year by state police, but that "his guns were given to his father with the promise that they wouldn’t be shared with his son ... Huston says Reinking’s father has a valid firearm ownership card, and his officers didn’t believe they had any authority to seize the weapons." Police are still searching for the 29-year-old suspect.