Officials: Chinese had access to U.S. security clearance data for one year

(Washington Post) The recently disclosed breach of the Office of Personnel Management’s security-clearance computer system took place a year ago, giving Chinese government intruders access to sensitive data for a year, according to new information.

The considerable lag time between breach and discovery means that the adversary had more time to pull off a cyber-heist of consequence, said Stewart Baker, a former National Security Agency general counsel.

The longer you have to exfiltrate the data, the more you can take,” he said. “If you’ve got a year to map the network, to look at the file structures, to consult with experts and then go in and pack up stuff, you’re not going to miss the most valuable files.”

The compromise of the system was discovered early this month and dates back to June or early July 2014, agency officials said. The network holds a wealth of personal, family and financial details on millions of current, former and prospective federal employees and contractors.

This is some of the most sensitive non-classified information I could imagine the Chinese getting access to,” said Baker, who also is a former senior policy official in the Department of Homeland Security. . . .

. . . . Jeffrey Wagner, OPM director of information technology security operations, said a breach of that same security clearance system last year, which drew front-page headlines, did not result in any theft of data. “We were actually able to stop” the hackers before they took any information, he said in an interview Thursday.

But the agency was not able to prevent a different group of Chinese government hackers from successfully penetrating the same network a few months later, said officials with knowledge of the probe. Investigators determined they were a separate group because the tactics and techniques were different, the officials said.

Senior U.S. officials have said that the Chinese have begun in the last 12 to 18 months to build vast databases of Americans’ personal information for counterintelligence purposes. They have gone after such data contained not only in federal networks, but in systems belonging to health-insurance giants such as Anthem. . . .(read more)

U.S. employee data breach tied to Chinese intelligence – sources (Reuters)

The Chinese hacking group suspected of stealing sensitive information about millions of current and former U.S. government employees has a different mission and organizational structure than the military hackers who have been accused of other U.S. data breaches, according to people familiar with the matter.

While the Chinese People’s Liberation Army typically goes after defense and trade secrets, this hacking group has repeatedly accessed data that could be useful to Chinese counterintelligence and internal stability, said two people close to the U.S. investigation. . . .

Sources told Reuters that the hackers employed a rare tool to take remote control of computers, dubbed Sakula, that was also used in the data breach at U.S. health insurer Anthem Inc disclosed this year.

The Anthem attack, in turn, has been tied to a group that security researchers said is affiliated with China’s Ministry of State Security, which is focused on government stability, counter-intelligence and dissidents. The ministry could not immediately be reached for comment.

In addition, U.S. investigators believe the hackers registered the deceptively named website to try to capture employee names and passwords, in the same way that Anthem, formerly known as Wellpoint, was subverted with spurious websites such as, which used the number “1” instead of the letter “l”.

Both the Anthem and OPM breaches used malicious software electronically signed as safe with a certificate stolen from DTOPTOOLZ Co, a Korean software company, the people close to the inquiry said. DTOPTOOLZ said it had no involvement in the data breaches. . . (read more)

Threats are Out There