Update on the massive data breach at the Office of Personnel Management (OPM). On Saturday, the New York times reported that U.S. intelligence officials have followed the movements of several Chinese hacker for the past five years:
"But last summer, officials lost the trail as some of the hackers changed focus again, burrowing deep into United States government computer systems that contain vast troves of personnel data... Undetected for nearly a year, the Chinese intruders executed a sophisticated attack that gave them “administrator privileges” into the computer networks at the Office of Personnel Management, mimicking the credentials of people who run the agency’s systems..."
This sheds a tiny bit of light on how the hackers may have gained access. It also seems to strongly suggest that the hackers obtains sign-in credentials of users' with the strongest privileges to access and manipulate information. What the hackers seem to be seeking:
"Much of the personnel data had been stored in the lightly protected systems of the Department of the Interior, because it had cheap, available space for digital data storage. The hackers’ ultimate target: the one million or so federal employees and contractors who have filled out a form known as SF-86, which is stored in a different computer bank and details personal, financial and medical histories for anyone seeking a security clearance."
The types of federal employees that have security clearances typically include covert operatives and investigators, plus:
"... an audit issued early last year, before the Chinese attacks, harshly criticized lax security at the Internal Revenue Service, the Nuclear Regulatory Commission, the Energy Department, the Securities and Exchange Commission — and the Department of Homeland Security, which has responsibility for securing the nation’s critical networks... Computers at the I.R.S. allowed employees to use weak passwords like “password.” One report detailed 7,329 “potential vulnerabilities” because software patches had not been installed..."
It seems as though heads need to roll in several agencies with both senior management levels and specific departments (e.g., information technology, data security).