Exclusive: The OPM breach details you haven't seen

An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers' calibrated extraction of data and the government's step-by-step response. It illuminates a sequence of events that lawmakers have struggled to pin down in public hearings with Obama administration officials.

The timeline makes clear that the heist of data on 22 million current and former federal employees was one sustained assault rather than two separate intrusions to steal background investigation data and personnel records.

The document, which bears the seals of OPM and the Department of Homeland Security, is dated July 14 and was prepared by federal investigators for the office of U.S. CIO Tony Scott, according to a source familiar with the investigation. The detailed timeline corroborates administration officials' public testimony but is unique in its comprehensiveness and specificity.

According to investigators, hackers likely gained access to OPM's local-area network on May 7, 2014, by stealing credentials and then planting malware and creating a backdoor for exfiltration. Actual exfiltration of data on background investigations did not begin until July 3, 2014, and it continued until August.

In October, the hackers pivoted to the Interior Department data center where OPM's personnel records resided. On Dec. 15, 2014, the intruders siphoned that data away. OPM has said the personnel records of 4.2 million people were comprised in that breach.

According to the timeline, OPM officials did not know they had a problem until April 15, 2015, when the agency discovered "anomalous SSL traffic with [a] decryption tool" implemented in December 2014. OPM then notified DHS' U.S. Computer Emergency Readiness Team, and a forensic investigation began.

The discovery of a threat to the background investigation data led to the finding two days later, on April 17, of a risk to the personnel records. US-CERT made the discovery by loading data on the April 15 incident to Einstein, the department's intrusion-detection system. On April 23, US-CERT spotted signs of the Dec. 15 exfiltration in "historical netflow data," and OPM decided that a major incident had occurred that required notifying Congress.

The timeline does not name the adversary responsible for the breach, but all official signs thus far have pointed to China as a leading suspect. The document is dated weeks after it was public knowledge that hackers had accessed OPM's networks via credentials stolen from contractor KeyPoint Government Solutions. The document does not identify how that happened, however, and instead states: "method of credential acquisition unknown."

When the intrusions were discovered, OPM responded on April 17 by deploying "a predictive malware prevention capability across its networks" to sever the adversary's network access, according to the timeline. By April 24, the hackers had been evicted from OPM systems, and the next day, the document states, the agency used an "advanced host-based security tool to discover, quarantine and eliminate [the] malware." OPM verified the malware was gone on April 30, according to the timeline.

A former DHS official who viewed the document said the seven days the timeline stipulates between the deployment of the anti-malware tool and the supposed eviction of the hackers seemed rather quick.

"It's easier to be definitive about the malware being eradicated than to say the hackers are completely out of the system altogether," the former official said. He added, however, that the document "is consistent with everything that we know to date about the sequence of events that occurred in association with the OPM breach."

A DHS spokesperson also told FCW that the timeline's narrative sounded consistent with previously released details about the breach but declined to comment on the document's provenance or intended audience. Scott did not respond to emails requesting comment on the timeline, and OMB spokespeople could not be reached by phone.

Questions linger

The duration of the infiltration points to an inherent problem with deploying defenses such as Einstein that rely on malware signatures.

"Going after malware is futile when you get 80,000 new variants a day," Mark Seward, a vice president at cyber analytics firm Exabeam, told FCW. Nation-state-backed hackers are capable of cloaking and varying attacks to render them undetectable by tools that rely on recognizing known threats, he added. According to the DHS timeline, adversaries were inside the OPM network for 10 months before their malware signatures were plugged into Einstein.

With the support of DHS Secretary Jeh Johnson, lawmakers have advocated increased deployment of Einstein as a way to shore up agencies' security after the OPM breach. A bill sponsored by Sen. Tom Carper (D-Del.) that would accelerate deployment of the system across government passed the Senate Homeland Security and Governmental Affairs Committee last month. The House passed a related provision in April.

The detailed timeline sheds light on a chain of events that is still murky to some lawmakers. Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, sent a letter this week to US-CERT Director Ann Barron-DiCamillo asking when OPM first contacted her office to report the breach. Chaffetz also requested additional reporting and analysis on the nature of the attack.

FCW staff writers Adam Mazmanian and Zach Noble contributed to this report.