Security Firm: China Is Behind the OPM Hack

Hackers “affiliated with the Chinese government” conducted the massive theft of personal information on tens of millions of current and former U.S. government employees, an executive with a leading cyber security company told The Daily Beast.

The assessment, which the executive said is based on technical information provided by the U.S. government, comes as the Obama administration released new information about the scale of what may be the biggest act of cyber espionage in U.S. history. The government has so far refused to publicly identify a culprit, however.

“Based on indicators we received from the U.S. government and our own analysis, I can confirm that the intruders were affiliated with the Chinese government,” said Dmitri Alperovitch, the co-founder of cybersecurity firm CrowdStrike.

Analysts at the company used information about the malware employed in the hack of the Office of Personnel Management. The company also examined other indicators, including Internet domain names and addresses, to determine that the hackers were affiliated with the Chinese government. Alperovitch did not identify the Chinese government directly as being behind the hack.

CrowdStrike, whose top executives include former FBI cybersecurity officials, also tracked the hackers in North Korea who were behind a hack on Sony Pictures Entertainment last year.

In a conference call with reporters on Thursday, Obama administration officials said that 22.1 million people had been affected by the breach, the largest figure reported to date. Of those, 21.5 million people were affected in a theft of background investigation information, which can reveal intimate details of a person’s sex life, history of drug and alcohol use, and financial status.

Although the Director of National Intelligence has pointed to China as the “leading suspect” in the OPM hack, officials on the call wouldn’t attribute the hack to any country or group. Spokespersons for the FBI, the National Security Council, and OPM told The Daily Beast that officials aren’t prepared to identify the responsible parties. “Our investigation remains ongoing,” said FBI spokesman Joshua Campbell.

But privately, the FBI has strongly implied that the hack was the work of China. In an alert to some companies authorized to received government security bulletins, the bureau warned them to be on the lookout for a malicious computer program that has been linked to the hack. Security experts say the malware is known to be used by hackers in China, including those believed to be behind the OPM breach.

The question of whether and when to identify the hackers is a politically risky one for President Obama. If the White House were to finger China as behind the OPM hack and then not impose significant penalties, it would raise questions about the administration’s resolve to punish malicious hackers.

That’s a predicament of the White House’s own making. After the hack on Sony last year, President Obama held a press conference to blame the attacks on North Korea. Later, FBI Director James Comey publicly revealed technical information tying the hacks to North Korea, staking his personal reputation on the certainty of that intelligence.

The U.S. imposed sanctions on North Korean individuals and companies and conducted a series of cyberattacks on the country’s computer networks. Then the administration announced a new sanctions regime that it vowed to use against foreign hackers who steal U.S. information.

To date, U.S. officials have refused to say whether they would use those sanctions to punish whomever is found to be responsible for the OPM hack. If the administration doesn’t respond to the breach, it will immediately raise questions about why the government felt it was necessary to punish North Korea for an attack on a movie studio that revealed embarrassing information about Hollywood celebrities, but not for an attack by China that has jeopardized national security and put personal details of tens of millions of people at risk.

A Homeland Security Department official said Thursday that the hackers had breached two computer systems, one at OPM, and the other at the Interior Department, which runs an administrative center that the OPM uses. Both intrusions were discovered in April 2015, said Andy Ozment, the assistant secretary for cybersecurity and communications at the department. In OPM’s case, the intruders had been on the agency’s networks since May 2014. They were inside Interior’s networks since June 2014.

Officials credited a cybersecurity tool called Einstein with discovering the intrusions—albeit months too late. But the state of security at OPM has been abysmal for years, a senior agency official told Congress on Wednesday.

“There was often confusion and disagreement” about how to protect the agency’s sensitive data, OPM Assistant Inspector General Michael R. Esser told a House subcommittee in prepared testimony. What’s more, an office that technically had the security job was staffed by people who “frequently had no [information technology] security background and were performing this function in addition to another full-time role.”

OPM’s auditors weren’t the only ones who realized the agency’s systems were open to hackers. Five years ago, U.S. intelligence officials refused to merge a database containing classified personnel records of intelligence-agency employees with the OPM’s now-hacked systems, fearing that the latter’s security was too weak and that if two systems were linked, it could expose the personal information of covert operatives to leakers and hackers.

OPM Director Katherine Archuleta told reporters that she is “committed” to guiding the agency through the hacking crisis and said she would not resign, despite calls to do so from members of Congress.