Exclusive: The OPM breach details you haven't seen

An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

Shutterstock image: digital fingerprint, cyber crime.

An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers' calibrated extraction of data and the government's step-by-step response. It illuminates a sequence of events that lawmakers have struggled to pin down in public hearings with Obama administration officials.

The timeline makes clear that the heist of data on 22 million current and former federal employees was one sustained assault rather than two separate intrusions to steal background investigation data and personnel records.

The document, which bears the seals of OPM and the Department of Homeland Security, is dated July 14 and was prepared by federal investigators for the office of U.S. CIO Tony Scott, according to a source familiar with the investigation. The detailed timeline corroborates administration officials' public testimony but is unique in its comprehensiveness and specificity.

According to investigators, hackers likely gained access to OPM's local-area network on May 7, 2014, by stealing credentials and then planting malware and creating a backdoor for exfiltration. Actual exfiltration of data on background investigations did not begin until July 3, 2014, and it continued until August.

In October, the hackers pivoted to the Interior Department data center where OPM's personnel records resided. On Dec. 15, 2014, the intruders siphoned that data away. OPM has said the personnel records of 4.2 million people were comprised in that breach.

According to the timeline, OPM officials did not know they had a problem until April 15, 2015, when the agency discovered "anomalous SSL traffic with [a] decryption tool" implemented in December 2014. OPM then notified DHS' U.S. Computer Emergency Readiness Team, and a forensic investigation began.

The discovery of a threat to the background investigation data led to the finding two days later, on April 17, of a risk to the personnel records. US-CERT made the discovery by loading data on the April 15 incident to Einstein, the department's intrusion-detection system. On April 23, US-CERT spotted signs of the Dec. 15 exfiltration in "historical netflow data," and OPM decided that a major incident had occurred that required notifying Congress.

The timeline does not name the adversary responsible for the breach, but all official signs thus far have pointed to China as a leading suspect. The document is dated weeks after it was public knowledge that hackers had accessed OPM's networks via credentials stolen from contractor KeyPoint Government Solutions. The document does not identify how that happened, however, and instead states: "method of credential acquisition unknown."

When the intrusions were discovered, OPM responded on April 17 by deploying "a predictive malware prevention capability across its networks" to sever the adversary's network access, according to the timeline. By April 24, the hackers had been evicted from OPM systems, and the next day, the document states, the agency used an "advanced host-based security tool to discover, quarantine and eliminate [the] malware." OPM verified the malware was gone on April 30, according to the timeline.

A former DHS official who viewed the document said the seven days the timeline stipulates between the deployment of the anti-malware tool and the supposed eviction of the hackers seemed rather quick.

"It's easier to be definitive about the malware being eradicated than to say the hackers are completely out of the system altogether," the former official said. He added, however, that the document "is consistent with everything that we know to date about the sequence of events that occurred in association with the OPM breach."

A DHS spokesperson also told FCW that the timeline's narrative sounded consistent with previously released details about the breach but declined to comment on the document's provenance or intended audience. Scott did not respond to emails requesting comment on the timeline, and OMB spokespeople could not be reached by phone.

Questions linger

The duration of the infiltration points to an inherent problem with deploying defenses such as Einstein that rely on malware signatures.

"Going after malware is futile when you get 80,000 new variants a day," Mark Seward, a vice president at cyber analytics firm Exabeam, told FCW. Nation-state-backed hackers are capable of cloaking and varying attacks to render them undetectable by tools that rely on recognizing known threats, he added. According to the DHS timeline, adversaries were inside the OPM network for 10 months before their malware signatures were plugged into Einstein.

With the support of DHS Secretary Jeh Johnson, lawmakers have advocated increased deployment of Einstein as a way to shore up agencies' security after the OPM breach. A bill sponsored by Sen. Tom Carper (D-Del.) that would accelerate deployment of the system across government passed the Senate Homeland Security and Governmental Affairs Committee last month. The House passed a related provision in April.

The detailed timeline sheds light on a chain of events that is still murky to some lawmakers. Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, sent a letter this week to US-CERT Director Ann Barron-DiCamillo asking when OPM first contacted her office to report the breach. Chaffetz also requested additional reporting and analysis on the nature of the attack.

FCW staff writers Adam Mazmanian and Zach Noble contributed to this report.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Mon, Feb 22, 2016 Cher NY-AZ

I also underwent a background check for a position I never took in 2002. Since Nov '15 I have been being terrorized by computer hackers that continue to infultrate my home network. These pests have gained access to every electronic device I own including anyone's who has ever connected to my WI-FI. I'm going crazy and running in circles trying to control this situation. The worst part is NO ONE wants to help. I have reached out to my internet service provider and other agencies only to get the run around. However after a few phone calls I was able to gather ALL MY SENSATIVE INFORMATION from multiple representatives at the OPM!!! I'm beside myself that this was allowed to happen!!! NO ACCOUNTABILITY

Thu, Dec 31, 2015 hobag

hell I got a letter as well stating my fingerprints were stolen as well, I have never worked for the federal government ever in my life and ive never received a paycheck from the government. I also have clean record.......guess obamas immigrants are going to have fun with my credit I don't know how to use huh?

Mon, Dec 28, 2015

How much do you think a hacker can sell S.S.N for on the street? My account was emptied !!

Mon, Dec 28, 2015

What about my personnel bank account that was emptied out on October 2015? Yes my institution restored my finances , but, perhaps my S.S.N. is been sold . I live in Suffolk and the removal of my finances happened In Queens and Brooklyn.

Sun, Dec 13, 2015

Got my letter. I have worked at a federal level several times since 2000. Knowing how much sensitive information I knew from my work, I really hope they are fully revamping their security systems so no one can use the information obtained to gain further access. Yes, I am concerned as my entire family will need coverage for identity theft based on my letter, but I am also concerned about the variety of ways this information can be used, including gaining access to current systems through information obtained.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group