Crossroads Blog | Institute National Security and Counterterrorism

China, Cyber Attacks, Data Breaches

OPM Data Breach Possibly part of Larger Advanced Persistent Threat (APT)

Forbes reports that it now appears that the Office of Personnel and Management (OPM) data breach may have been part of a larger cyber strategy.  Whereas the original OPM data breach resulted in the compromise of over 21M comprehensive personnel files that contained extensive personally identifiable information (PII) that was stored within 120+ page SF-86 forms, the Forbes article suggests that this may have been part of a larger operation.  In the article, Trend Micro’s Vice President of Cybersecurity, Thomas Kellerman states that he believes that the data stolen in the OPM data breach is being used to target U.S. Military contractors.  Furthermore, in the Forbes article, Kellerman references a report disseminated by Trend Micro which purportedly traces those currently exploiting the data exfiltrated during the OPM breach to a group Trend Micro refers to as “Iron Tiger,” which Trend Micro indicates are a group of Chinese Cyber Spies.  Also of note is the fact that Trend Micro pulled the report shortly after posting it and the Forbes article links to a cached version of the initial report which is no longer available on Trend Micro’s site.

Interestingly enough, the assertions by Trend Micro come just one week after The Director of National Intelligence (DNI) James Clapper testified to a House Intelligence Committee that there was no indication that data obtained from the OPM data breach was being used for “nefarious” purposes, according to the Forbes article.  The Forbes article stated that the lead author of the Trend Micro report, Dr. Ziv Chang, who is the Senior Director of Cyber Safety Solutions, Core Technology at Trend Micro, asserted that the following types of data were being targeted and exfiltrated:”

(1) base operations support;
(2) engineering, procurement and construction;
(3) information technology and systems engineering;
(4) intelligence analytics and training;
(5) language and cultural analysis;
(6) operations and maintenance; and
(7) security assessment and training. “

The article states that Kellerman believes the attacks are ongoing but have been somewhat subdued in the time leading up to Chinese President Xi Jingping’s  visit to the United States.  Additionally, The Atlantic recently reported that not only was personally identifiable information (PII) accessed during the OPM breach but fingerprint (biometric) data was also exfiltrated, with an estimated 5.6M fingerprints compromised.  According to The Hill, the Office of Personnel Management, in an effort to quell the fears of those whose biometric data may have been breached, has assured breach victims that based on current technology there is very little misuse that may occur with respect to the fingerprints, while further stating that this may not be the case as technology evolves [which your author finds to be not exactly re-assuring rhetoric].

My opinion:
The planning and strategic development of a long-term attack in which data is exfiltrated and then used in subsequent attacks seems more likely the work of a nation-state than a standard criminal hacking organization.  This type of cyber campaign is often referred to as an Advanced Persistent Threat (APT) and is most often associated with nation-states.  APTs require a level of sophistication and planning that is generally outside the reach of a private or autonomous actor or organization. The inference that this is part of a larger APT is further bolstered by the Forbes article that linked the data from the OPM hack as being further used to target military contractors.  With the amount of data records gleaned from the OPM breach, if mere identify theft was the primary motivator it seems unlikely that hackers would expend the time and resources needed to procure the SF-86 personnel files along with fingerprint data as the data exfiltrated was far more than necessary to simply perpetrate financial or identity fraud.  The additional resources required to exfiltrate, store, and leverage such a voluminous amount of data is inefficient unless the breach was part of a longer-term strategic cyber operation.

Leave a Reply

Bitnami