FBI’s 26-Day Old OPM FLASH Notice

Shane Harris, who has been closely tracking the bureaucratic implications of the OPM hack, has an update describing a “FLASH” notice FBI just sent out to the private sector.

Or rather, FBI just re-sent the FLASH notice they sent on June 5, 26 days earlier, because they realized some recipients (including government contractors working on classified projects) did not have their filters set to accept such notices from the FBI.

The FBI is warning U.S. companies to be on the lookout for a malicious computer program that has been linked to the hack of the Office of Personnel Management. Security experts say the malware is known to be used by hackers in China, including those believed to be behind the OPM breach.

The FBI warning, which was sent to companies Wednesday, includes so-called hash values for the malware, called Sakula, that can be used to search a company’s systems to see if they’ve been affected.

The warning, known as an FBI Liaison Alert System, or FLASH, contains technical details of the malware and describes how it works. While the message doesn’t mention the OPM hack, the Sakula malware is used by Chinese hacker groups, according to security experts. And the FBI message is identical to one the bureau sent companies on June 5, a day after the Obama administration said the OPM had been hacked, exposing millions of government employees’ personal information. Among the recipients of both alerts are government contractors working on sensitive and classified projects.

[snip]

In an email obtained by The Daily Beast, the FBI said it was sending the alert again because of concerns that not all companies had received it the first time. Apparently, some of their email filters weren’t configured to let the FBI message through.

Consider the implications of this.

It is unsurprising that the initial FLASH got stuck in companies’ email filters if the hashes included with the notice were treated as suspicious code by the companies’ anti-malware screens. The message likely looked like malware because it is. (Of course, this story may now have alerted those trying to hack recipients of FBI’s FLASH notices that the FBI wasn’t previously whitelisted by recipients, but probably just got whitelisted, but that’s a matter for another day.)

The delayed FLASH receipt says far more about the current state of data-sharing, just as the Senate sets to debate the Cybersecurity Information Sharing Act, which (Senate boosters claim) companies ostensibly need before they’re willing to share data with the government.

First, it suggests that FBI either did not send out such a FLASH in response to what it learned from Anthem hack, which presumably would have gone out at least by February (which, if even OPM had acted on the alert, might have identified its hack 2 months before it did get identified), or if it did it also got stuck in companies’ — and OPM’s — malware filter.

But it also seems to suggest that the private sector — including sensitive government contractors — haven’t been receiving other FBI FLASHes (presuming the filter settings have been set to exclude any such notice including something that looked like malware). They either never noticed they weren’t getting them or never bothered to set their filters to receive them.

That may reflect a larger issue, though. As Jennifer Granick has repeatedly noted, key researchers and corporations have not, up to now anyway, seen much value in sharing with the government.

I’ve been told by many entities, corporate and academic, that they don’t share with the government because the government doesn’t share back. Silicon Valley engineers have wondered aloud what value DHS has to offer in their efforts to secure their employer’s services. It’s not like DHS is setting a great security example for anyone to follow. OPM’s Inspector General warned the government about security problems that, left unaddressed, led to the OPM breach.

Perhaps recipients didn’t have their filters set to accept notices from FBI because none of them have ever been useful?

Another factor behind reluctance to share with the government is an unwillingness to get personnel security clearances, though that should not be a factor here.

The implication appears to be, though, that the government was unable — because of recipient behavior and predispositions — to share information on the most important hack of recent years.

We’re about to have a debate about immunizing corporations further, as if that’s the problem. But this delayed FLASH strongly suggests it is not.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

6 replies
  1. Jim White says:

    .
    Perhaps I’m an old curmudgeon, but given how slowly the FBI has been dragged kicking and screaming into the computer era, it seems like a very dangerous thing to whitelist email coming from the FBI.
    .
    Just sayin’…

    • bloopie2 says:

      As for me, I have been taught, “Never speak to the FBI when they come calling”. Perhaps the reluctance to deal with the Flashes stems, not only from a sense that the Feds won’t help you, but even more from a sense that they are there to hurt you.

  2. What Constitution? says:

    So did the notice read “if you’re reading this it’s probably too late”?

  3. scribe says:

    Perhaps recipients didn’t have their filters set to accept notices from FBI because none of them have ever been useful?

    If they’re anything like the town I used to live in, generating useless messages probably goes on daily. I moved out of that town ~6 yr ago and they still send me reverse 911 texts when the weather’s going to shit or something. I suspect that, being bigger, FBI is probably worse.

  4. orionATL says:

    the security “solution” is to reinstitute an electronic version of “files” – a paper or plastic folder holding pieces of paper inside which is a discrete, labeled information entity, e.g., the personnel file of cia employee robert johnson now cultural attache to the american embassy in the maldives. these electronic files would not be routinely available as part of a computer system’s data collections. it could only be accessed thru security activities focused on that file by individuals who knew it (likey) existed.

    encryption wouldn’t hurt either :))

    ah for the coming days of quatum encryption when the nsa/fbi will have to lobby and bogeyman the congress to outlaw areas of science and technology, or acknowledge its effort to collect all and know all has finally failed finally, and general keith alexander’s haystack is on its way to becoming compost.

  5. bevin says:

    “Security experts say the malware is known to be used by hackers in China, including those believed to be behind the OPM breach…”

    The more often a Big Lie is repeated, the more people accept that it is true. The lack of real evidence is forgotten and the psychological softening of the populace’s aversion to suicidal warfare is advanced.

    “Security experts” will say anything if they are paid enough to do so or if the consequences of not doing so are sufficiently dire.

Comments are closed.