After Targeting OPM, Hackers Moved onto United?

Bloomberg reports that the same people who hacked OPM then went on to target United, which does a lot of business with the government (and, though the story doesn’t say it, a lot of flights to China).

United, the world’s second-largest airline, detected an incursion into its computer systems in May or early June, said several people familiar with the probe. According to three of these people, investigators working with the carrier have linked the attack to a group of China-backed hackers they say are behind several other large heists — including the theft of security-clearance records from the U.S. Office of Personnel Management and medical data from health insurer Anthem Inc.

[snip]

The timing of the United breach also raises questions about whether it’s linked to computer faults that stranded thousands of the airline’s passengers in two incidents over the past couple of months. Two additional people close to the probe, who like the others asked not to be identified when discussing the investigation, say the carrier has found no connection between the hack and a July 8 systems failure that halted flights for two hours. They didn’t rule out a possible, tangential connection to an outage on June 2.

But what I find most interesting is that OPM developed a list of potential victims, including United, and alerted them of the signatures related to the hack.

The China-backed hackers that cybersecurity experts have linked to that attack have embedded the name of targets in web domains, phishing e-mails and other attack infrastructure, according to one of the people familiar with the investigation.

In May, the OPM investigators began drawing up a list of possible victims in the private sector and provided the companies with digital signatures that would indicate their systems had been breached. United Airlines was on that list.

That’s interesting for two reasons. First, OPM alerted United before it alerted even the less exposed OPM victims, those whose personnel data got stolen; OPM has yet to formally alert those whose security clearance data got taken. I get that you might want to alert additional targets before confirming publicly you know about the hack (potentially to learn more about the perpetrators).

But it also shows that data sharing — alleged to be the urgent need calling for CISA — is not a problem.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

5 replies
  1. wayoutwest says:

    Has anyone actually identified these ‘ China-backed hackers’ ? It seems somewhat strange that someone would claim that China would outsource this critical espionage to a third party or if this is their work at all.

    • Rayne says:

      “China-backed hackers” doesn’t mean outsourcing, per se. China is NOT a democracy, can’t say this often enough; there’s no daylight between entities like universities or businesses and China’s government, only the illusion that there is any separation.

      A “China-backed hacker” could easily be a group of students on campus at a Chinese university. Could be ex-pats who have been permitted to leave the country, but still work on assignment. Lots of other variations possible.


      Very important not to assume that China has bought a non-Chinese third party to hack. Hasn’t been their M.O. It’s also rather telling that the U.S. government is being even less specific than they were about the alleged North Korean hacking of Sony Pictures.

      • wayoutwest says:

        The phrase ‘China-backed hackers’ appears to me to have been carefully selected newspeak because it can be interpreted many ways as you have clearly shown. Earlier US claims about alleged Chinese hacking have pointed directly at the Chinese Military Intelligence and I think, named individuals.

        US students, universities and contractors who assist our government with hacking are not labeled ‘American-backed hackers’ so why this ambiguous word-salad to describe the perps in the latest hacks?

        Could it be that the Chinese hackers have become so skilled and their MO so advanced that the great US Panopticon is no longer able to trace their work back to its source?

        These huge and apparently unstoppable breaches of military, business and government databases shows what a failure we are at cyber security and using deflections such as, the China-backed hackers did it, does nothing to remedy that massive failure.

Comments are closed.