The investigation into the cyberattack on computers at the U.S. Office of Personnel Management is proceeding on the theory that the hack was directed by the Chinese government and aimed at uncovering sensitive, personal information that could have been used to blackmail or bribe government employees to obtain secrets, officials said Friday.
Social Security numbers, email addresses, job performance reviews and other personal information of about four million government workers were siphoned out of the computer servers, said the officials, who spoke on condition of anonymity to discuss internal assessments of the breach.
The information obtained in the attack could be useful on its own and also could be used to craft fake emails that would entice government workers to open attachments that would infect their computers with malicious software designed to bleed additional information off federal computers. Computer security experts call such attacks “spear-phishing.”
There is no indication so far that classified servers were breached. But the hackers were able to penetrate the personnel agency’s networks for several months before monitoring tools deployed by the Department of Homeland Security detected them. Similar infiltrations have been conducted by Chinese and Russian hackers over the last year.
“This was not a hack for commercial interests,” a senior law enforcement official said, contrasting it with cyberattacks that have targeted cutting-edge technology or manufacturing specifications for popular products. The attack on the personnel agency carried the hallmarks of an intelligence operation, officials said.
The most recent breach was the second major lapse at the personnel agency in the last two years. In March 2014, officials at the agency discovered that Chinese hackers had entered a database that tracks the files of federal employees applying for security clearances, potentially valuable information for identifying who has access to U.S. secrets.
Foreign spy agencies have collected information on U.S. government employees for decades. Intelligence agents can use basic biographical details combined with information kept on commercial databases – such as arrest records or credit reports – to find potential recruits who live with crippling debt or have legal problems that make them susceptible to blackmail.
“As an intelligence agency there’s a lot of information you can derive from this,” said Ken Ammon, a former official at the National Security Agency and now the chief strategy officer at cybersecurity company Xceedium Inc.
“You can potentially figure out missions based on who works with who, you can conduct missions to subvert individuals and create a spy or an insider,” he said. Information collected through hacking could allow foreign governments looking to recruit an agent to “pick the target based on financial conditions or other embarrassing private information that they would not make available to their families,” he added.
Some experts, however, were skeptical that the Chinese were behind the attack and theorized that identity thieves may have made the hack look like the infiltrations originated in China.
“Most likely, I think the motivation is criminal, it could be Chinese criminals,” said Robert Knake, a former director of cybersecurity policy at the National Security Council and now a senior fellow at the Council on Foreign Relations.
The information that the attack swept up is not all that valuable for launching spear-phishing attacks, he said.
Moreover, “if it is in fact true that it was the Chinese agency that went after this information, it’s a legitimate target for an intelligence community,” Knake said. “It’s not an act of war, it’s not beyond the pale and it’s certainly not the worst incident to ever affect the federal government.”
The Chinese Foreign Ministry did not confirm or deny any involvement in the hack, and claimed it has also suffered cyberattacks.
“China itself is also a victim of cyberattacks,” ministry spokesman Hong Lei said Friday in Beijing. “China resolutely tackles cyberattack activities in all forms.” The U.S. should not issue accusations against China, “but instead add more trust and cooperating in this field,” he said.
At the White House, spokesman Josh Earnest said that “no conclusions about the attribution of this particular attack have been reached at this point.”
But he added, “When it comes to China, the president has frequently, including in every single meeting that he's conducted with the current Chinese president, raised China's activities in cyberspace as a significant source of concern.”
Some lawmakers used the hack to push for legislation they say would better protect U.S. networks.
“We cannot sit idly by, accepting a situation in which persistent cyberattacks and data insecurity are the new norm,” Sen. John McCain (R-Ariz.), chairman of the Senate Armed Services Committee, said in a statement Friday.
“Our top priority must be finding ways to deter our enemies from attacking in the first place and ending the ability of hackers to infiltrate, steal and disrupt with impunity,” he said.
Adm. Michael S. Rogers, who leads both the U.S. Cyber Command and the National Security Agency, said during a Senate Armed Services Commitee hearing on March 19 that the nation currently defends its networks in a “reactive strategy” against foreign attacks.
The government needed to think about intensifying offensive capabilities, he said. Thus far, he said, President Obama had not given him the authority to deploy offensive cyberweapons.
“We're at a tipping point,” Rogers said. “We need to think about: How do we increase our capacity on the offensive side to get to that point of deterrence?”
“But right now, the level of deterrence is not deterring?” McCain asked.
“That is true,” Rogers said.
Congress will probably consider a bill later this year designed to encourage companies to share more information with the government about cyberattacks. The bill would establish the Department of Homeland Security as the agency to receive information about attacks from businesses and would protect those companies from liability if they came forward.
But “data theft, while extremely damaging, does not represent the worst-case scenario,” Rep. Jim Langevin (D-R.I.), co-chair of the House Congressional Cybersecurity Caucus, said in a statement. “Destructive effects that once required kinetic warfare are now possible through a few keystrokes, even on our own soil."
Times staff writers Colin Diersing and W.J. Hennigan in Washington contributed to this report.