Exclusive: The OPM breach details you haven't seen

An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

Shutterstock image: digital fingerprint, cyber crime.

An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers' calibrated extraction of data and the government's step-by-step response. It illuminates a sequence of events that lawmakers have struggled to pin down in public hearings with Obama administration officials.

The timeline makes clear that the heist of data on 22 million current and former federal employees was one sustained assault rather than two separate intrusions to steal background investigation data and personnel records.

The document, which bears the seals of OPM and the Department of Homeland Security, is dated July 14 and was prepared by federal investigators for the office of U.S. CIO Tony Scott, according to a source familiar with the investigation. The detailed timeline corroborates administration officials' public testimony but is unique in its comprehensiveness and specificity.

According to investigators, hackers likely gained access to OPM's local-area network on May 7, 2014, by stealing credentials and then planting malware and creating a backdoor for exfiltration. Actual exfiltration of data on background investigations did not begin until July 3, 2014, and it continued until August.

In October, the hackers pivoted to the Interior Department data center where OPM's personnel records resided. On Dec. 15, 2014, the intruders siphoned that data away. OPM has said the personnel records of 4.2 million people were comprised in that breach.

According to the timeline, OPM officials did not know they had a problem until April 15, 2015, when the agency discovered "anomalous SSL traffic with [a] decryption tool" implemented in December 2014. OPM then notified DHS' U.S. Computer Emergency Readiness Team, and a forensic investigation began.

The discovery of a threat to the background investigation data led to the finding two days later, on April 17, of a risk to the personnel records. US-CERT made the discovery by loading data on the April 15 incident to Einstein, the department's intrusion-detection system. On April 23, US-CERT spotted signs of the Dec. 15 exfiltration in "historical netflow data," and OPM decided that a major incident had occurred that required notifying Congress.

The timeline does not name the adversary responsible for the breach, but all official signs thus far have pointed to China as a leading suspect. The document is dated weeks after it was public knowledge that hackers had accessed OPM's networks via credentials stolen from contractor KeyPoint Government Solutions. The document does not identify how that happened, however, and instead states: "method of credential acquisition unknown."

When the intrusions were discovered, OPM responded on April 17 by deploying "a predictive malware prevention capability across its networks" to sever the adversary's network access, according to the timeline. By April 24, the hackers had been evicted from OPM systems, and the next day, the document states, the agency used an "advanced host-based security tool to discover, quarantine and eliminate [the] malware." OPM verified the malware was gone on April 30, according to the timeline.

A former DHS official who viewed the document said the seven days the timeline stipulates between the deployment of the anti-malware tool and the supposed eviction of the hackers seemed rather quick.

"It's easier to be definitive about the malware being eradicated than to say the hackers are completely out of the system altogether," the former official said. He added, however, that the document "is consistent with everything that we know to date about the sequence of events that occurred in association with the OPM breach."

A DHS spokesperson also told FCW that the timeline's narrative sounded consistent with previously released details about the breach but declined to comment on the document's provenance or intended audience. Scott did not respond to emails requesting comment on the timeline, and OMB spokespeople could not be reached by phone.

Questions linger

The duration of the infiltration points to an inherent problem with deploying defenses such as Einstein that rely on malware signatures.

"Going after malware is futile when you get 80,000 new variants a day," Mark Seward, a vice president at cyber analytics firm Exabeam, told FCW. Nation-state-backed hackers are capable of cloaking and varying attacks to render them undetectable by tools that rely on recognizing known threats, he added. According to the DHS timeline, adversaries were inside the OPM network for 10 months before their malware signatures were plugged into Einstein.

With the support of DHS Secretary Jeh Johnson, lawmakers have advocated increased deployment of Einstein as a way to shore up agencies' security after the OPM breach. A bill sponsored by Sen. Tom Carper (D-Del.) that would accelerate deployment of the system across government passed the Senate Homeland Security and Governmental Affairs Committee last month. The House passed a related provision in April.

The detailed timeline sheds light on a chain of events that is still murky to some lawmakers. Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, sent a letter this week to US-CERT Director Ann Barron-DiCamillo asking when OPM first contacted her office to report the breach. Chaffetz also requested additional reporting and analysis on the nature of the attack.

FCW staff writers Adam Mazmanian and Zach Noble contributed to this report.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.