China Denies Stealing Data on U.S. Government Workers

At The New York Times, David E. Sanger and Julie Hirschfeld Davis report the discovery of a major cyberattack on the U.S. Government’s Office of Personnel Management, in which information on as many as four million past and present government workers may have been compromised. As in the recently revealed hacking of the U.S. second-largest health insurer, Anthem, and a string of other incidents since an influential Mandiant report in 2013, China was quickly labeled the chief suspect.

There seemed to be little doubt among federal officials that the attack was launched from China, but it was unclear whether it might have been state sponsored. The administration did not publicly identify Chinese hackers as the culprits because it is difficult to definitively attribute the source of and to back up such an attribution without divulging classified data.

[… L]ast summer, the personnel office announced an intrusion in which hackers appeared to have targeted the files of tens of thousands of workers who had applied for top-secret security clearances.

In that case, the objective seemed clear: The information on security clearances could help identify covert agents, scientists and others with data of great interest to foreign governments. That breach also appeared to have involved Chinese hackers.

But because the breadth of the new attack was so much greater, the objective seemed less clear. [Source]

In a pair of articles at The Washington Post, Ellen Nakashima explored what data was taken, for what purpose, and by whom:

The intruders in the OPM case gained access to information that included employees’ Social Security numbers, job assignments, performance ratings and training information, agency officials said. OPM officials declined to comment on whether payroll data was exposed other than to say that no direct-deposit information was compromised. They could not say for certain what data was taken, only what the hackers gained access to.

[…] In the current incident, the hackers targeted an OPM data center housed at the Interior Department. The database did not contain information on background investigations or employees applying for security clear­ances, officials said. [Reuters, though, reports that the data “included security clearance information and background checks dating back three decades,” also citing U.S. officials.]

By contrast, in March 2014, OPM officials discovered that hackers had breached an OPM system that manages sensitive data on federal employees applying for clearances. That often includes financial data, information about family and other sensitive details. That breach, too, was attributed to China, other officials said. OPM officials declined to comment on whether the data affected in this incident was encrypted or had sensitive details masked. They said it appeared that the intruders are no longer in the system. [Source]

“They’re definitely going after quite a bit of personnel information,” said Rich Barger, chief intelligence officer of ThreatConnect, a Northern Virginia firm. “We suspect they’re using it to understand more about who to target, whether electronically or via human recruitment [for ].”

[…] Once harvested, the data can be useful to glean details about key government personnel and potential spy recruits, or information useful for counterintelligence. Records in OPM’s database of background investigations, for instance, could contain a complete history of where an individual has lived, and all of his or her foreign contacts in, say, China. “So now the Chinese counterintelligence authorities know which American officials are meeting with which Chinese,” a China cyber and intelligence expert said.

[…] Though much Chinese is attributed to the People’s Liberation Army, these hacks, Barger said, appear to be linked to the Ministry of State Security, which is a spy agency responsible for foreign espionage and domestic counterintelligence.

Other Chinese units, including the military, may also be involved in the campaign, analysts say. [Source]

White House press secretary Josh Earnest raised the possibility of sanctions against whoever was responsible for the breach, but would not directly confirm that China is a suspect, The Guardian’s Dan Roberts reported:

“In April, the president, using his executive authority, signed an executive order giving the Treasury Department additional authority to use economic sanctions to punish or hold accountable those who are either responsible for a cyber intrusion or are benefiting from one,” he said.

[…] “I can’t get into any conclusions that have been reached about who or what country may be responsible for this particular incident,” said Earnest.

“But when it comes to China, you all know that the president has frequently, including in every single meeting that he’s conducted with the current Chinese president, raised China’s activities in cyberspace as a significant source of concern.”

[…] “Any time that these kinds of investigations are being conducted is that there is risk associated with making public what exactly our investigators have learned,” said Earnest. “And the reason for that is that we’re dealing with a persistent adversary, and in some cases, the less they know about what we know about what they did, the better. And so we’re certainly mindful of that as we talk about this in public.” [Source]

Robert Knakes of the Council on Foreign Relations commented that “while I’m not usually in the position of defending the Chinese, I’m skeptical that China is behind this incident”:

The information has little intelligence value. Why the Chinese government would care about the social security numbers of every clerk in the Commerce Department is beyond me. The theory that it can be used in spear phishing campaigns doesn’t make much sense. LinkedIn and Facebook have much more detailed information. So does the Plum Book and publicly available databases on federal employee salaries. Many close watchers of Chinese cyber activities have observed that Chinese actors have been less brazen since the Mandiant report and the PLA indictments. The fallout from getting caught isn’t worth the intelligence gain.

[…] The information is more valuable to criminals. It doesn’t make sense that the Chinese government would value the stolen information to this degree. Criminals are the more likely culprits. This is the same kind of information that was stolen in the Anthem and Carefirst breaches—it’s information that you need to file fraudulent insurance claims or commit tax fraud. Senator Collins is the only official who may have had access to actual intelligence that has gone on the record. She has said the hackers are believed to be “based” in China, a far cry from direct attribution to the Chinese government. [Source]

An editorial from Chinese state news agency Xinhua described the reports and off-the-record accusations as part of a concerted American campaign against China:

People can also smell rat from some recent moves taken by the U. S. government, including the charges filed against some Chinese professors for so-called theft of trade secrets [background] and against a dozen of Chinese students in the U.S. for fraud and cheating on tests [background]. All the timings are subtly synchronized with the development of Washington’s rift with China over the South China Sea.

[…] For too long time that the two countries have easily fell into the trap of political bias, ideological paranoia and lingering misunderstanding despite the flouring bilateral trade and people- to-people exchanges. This is evident in the recurrent fluctuation in the Sino-U.S. bilateral ties in the past four decades.

[…] Basically, Washington needs to stop its witch-hunt of China, tune down its criticism of China, and learn to accommodate China in an unbiased way. Otherwise, the rivalry between the two powers is destined to worsen and have a destabilizing effect on world peace and security. [Source]

Spokesman Hong Lei issued the Chinese Foreign Ministry’s customary denial at a press conference on Friday:

[… R]ecently we have seen quite a lot of media reports or remarks of this kind. But are these reports or remarks scientific? Cyber attacks are usually conducted anonymously and across borders, making it hard to trace back. It is not responsible nor scientific to always use terms such as “likely” or “suspected” instead of conducting thorough investigations. It is the consistent position of China to firmly combat all forms of cyber attacks. China itself is a victim of cyber attacks. We are ready to carry out international cooperation on this issue and build a cyber space that is peaceful, secure, open and cooperative. We hope that the US side would discard suspicions, refrain from making groundless accusations, and show more trust and conduct more cooperation in this area. [Source]

Earlier this week, the Council on Foreign Relations’ Adam Segal noted the publication of a new report backing up China’s official complaints about incoming cyberattacks:

Last week, SkyEye, Qihoo 360‘s threat intelligence service, released a report entitled OceanLotus. The report describes the working of an APT (Advanced Persistent Threat) group engaged for at least three years in cyber espionage against Chinese targets, including ocean affairs agencies, the departments in charge of China’s territorial waters, research institutes, and aviation, aeronautics, and shipping companies. Over 90 percent of the infections were in China, most in Beijing and Tianjin. According to SkyEye, the sophistication of OceanLotus suggests that it is a nation-state-backed group, though it does not name the country. The report does identify the locations of the IP addresses and command and control servers used in the attacks: Bahamas, , Ukraine, Nigeria, Israel and others.

Qihoo clearly is co-opting the language and techniques of the APT reports done by Mandiant, CrowdStrike, and other U.S. cybersecurity companies. The structure of Qihoo’s report is very familiar to anyone who has read an English-language report, though it seems like they missed an opportunity to up with a name in the vein of Putter Panda or Volatile Cedar that implies the nation-state behind the attacks (Elegant Eagle?). The attempt to match the reports of the U.S. companies may be based on marketing and business needs, but it is also in the minds of some Chinese analysts a necessary step in the cybersecurity competition with the United States.

[…] It is easy to write this report off as propaganda, but that would be a mistake. […] [Source]

South China Morning Post, meanwhile, reported the hacking of state-owned Chinanews.cn in an apparent extortion attempt on Wednesday. The revelation of the OPM breach coincides with news on the NSA’s efforts to combat foreign hackers, published by The New York Times and Pro Publica based on documents leaked by Edward Snowden. Also at The New York Times, Snowden himself reflected on Friday on developments since his public emergence in Hong Kong two years ago.