What If the Intelligence Community Is Looking for the Wrong Malicious Use of OPM Data?

Screen Shot 2015-09-14 at 9.11.40 AMThe revelation in last week’s cyber threats hearing the press has been most agog about is that James Clapper predicted hackers would get around to changing, rather than just stealing, data.

[after 19:00] In the future I believe we’ll see more cyber operations that will change or manipulate electronic information to compromise its integrity — in other words, compromise its accuracy and its reliability, instead of merely deleting it or disrupting access to it.


[after 56:00] To this point, it’s either been disruption — of a website, for example, but more commonly, just purloining information. As I indicated in my opening statement though, I believe the next push on the envelope here is going to be the manipulation or deletion of data, which will of course compromise its integrity.

Um. Really, journalists who cover this area?

The notion that a cyber operator will change data is not new. Proof of that concept happened years ago, with the StuxNet attack, when US and Israeli hackers made the Iranians think everything was going peachy with their centrifuges when in fact they were spinning out of control. No one may yet have manipulated our data, but we’ve manipulated others’ data.

Which I guess means, according to Clapper’s definition, StuxNet was an attack and not just a hack — in case you had any doubts.

One thing I found far more interesting was Clapper’s repeated assertion that the IC has seen no use of the Office of Personnel Management data.

[after 49:00; see also after 1:29] Clapper: What we’ve done is speculate how it could be used. And again the distinction I was just making with Congressman Westmoreland had to do with the terminology of saying that the OPM breach was an attack. Getting back to definitional issues, we wouldn’t characterize it that way. What’s of great concern with respect to the OPM breach, which I spoke to briefly in my opening statement had to do with potential uses of that data. And of course, we’re looking. Thus far we haven’t seen any evidence of their usage of that data.

I said as I was watching and others have said since that this likely just reflects China — almost universally believed to be the OPM perpetrator — playing the long game. It will use the knowledge when it’s good and ready, all the while we’ll know it has it.

All that said, the other thing Clapper said that I found very interesting was that the IC has varying degrees of confidence about who did this hack.

[after 20:00] Clapper: And while speaking of the OPM breaches, let me say a couple of words about attribution, which is not a simple process and involves at least three related but distinct determinations: geographic point of origin, the identity of the actual perpetrator doing the keystrokes, and the responsibility for actually directing the attack. In the case of OPM, we’ve had differing degrees of confidence across the IC in our assessment of the responsibility for each of these elements. Of late, unauthorized disclosures and foreign defensive improvements have cost us some technical accesses.

Apparently, not everyone in the IC is completely convinced China did this. This is the kind of statement we never saw, as far as I remember, with regards to the Sony hack (though, admittedly, it’s a lot easier to make unsubstantiated accusations against North Korea than China). Are people really not convinced?

Note, too, the casual reference to the US losing some technical accesses, presumably in response to Snowden’s disclosures and the heightened awareness from our adversaries just how badly we’ve pawned them for years. Given the assumption China hacked OPM, this likely means we’ve lost some visibility into Chinese actions in the last two years.

The evidence China did this hack in part stems from its complexity; few — but not no — other actors could pull it off. That someone would hack United, in tandem with OPM, would support that, given that United flies so many flights from Dulles to China.

All that said is it possible — remotely — some other sophisticated state actor could have done this?

I’m going to assume Clapper is just downplaying the certainty here, possibly in advance of Xi Jinping’s visit to DC.

But if it is remotely true, would that have an effect on our ability to monitor for the use — or even manipulation — of OPM data? That is, if we were looking for Chinese use of the data — focusing on people of Chinese descent and/or people stationed there — would we miss attempts to compromise clearance holders another sophisticated state actor — say, Israel — might target? I’ll just remind that at a time when the US was trying to set up the IRGC for an assassination attempt, someone spamouflaged what likely included our target. I presume that as we got closer and then finalized the Iran deal, Israel’s targeting of our spooks has intensified.

In any case, Clapper seems confident that the data was not compromised here, which is something other commentators have raised as a worry (because doing so would allow you to create clearances for people who had not been vetted, for example).

[after 1:29]My working definition of whether it’s an attack or not and my characterization of it not being an attack in that there was no destruction of data or manipulation of data, it was simply stolen.

But if we’re not 100% sure this is China (again, I’m skeptical we have much doubt), maybe we couldn’t be so sure about whether the data has been manipulated or — at the very least — used to compromise our clearance holders.

20 replies
  1. bloopie2 says:

    I’m intrigued by this statement of yours: ‘The evidence China did this hack in part stems from its complexity; few — but not no — other actors could pull it off.’ Two questions arise. One, what was so complex about it? Were there multiple layers of security to penetrate, or such? Or was it just BIG? (Obviously you have read tons more on it than I; perhaps I’ve just missed that information along the way). Second, will this distinction between ‘pros’ and ‘amateurs’ always be there, or are the non-state actors catching up in their skill levels – in the field of basic “break in and take the data” activities, that is. Or maybe they just need more funding, not more skill per se, to be on equal footing?
    Finally, as to ‘The notion that a cyber operator will change data is not new’. Of course. Howzabout all those reports going back decades of students breaking into the school computers and raising their grades? Before their time, I guess.

    • emptywheel says:

      On complexity mostly going on what I’ve heard. One would think it would be hard abscond with 21M records w/o their owner be aware, but who knows on that point?

      • bloopie2 says:

        Perhaps it’s down to “copying” and not “taking”. Edward Snowden copied many documents, and even the NSA didn’t realize that until much later. I assume the OPM hackers did likewise. But sheesh, does that mean that every database everywhere needs a program that alerts you when a document is accessed or copied? As you noted elsewhere, too many alerts yields paralysis.

    • blueba says:

      I agree with your concerns regarding the responsibility of “China” and the OPM as well as other gov hacks.

      I don’t even know what emptywheel means by “China” China is a country of 1.4 billion people and several very large corporations with lots of cash. There are no doubt many millions, even tens of millions of skilled computer technicians in the nation of China. There are Chinese criminals. To say “China” did it does emptywheel mean the CPC directed the hack/attacks? If so shouldn’t it be stated – “I think the CPC ordered and directed these hacks”? Further is it not possible to make it appear something is coming from China when in fact is coming from elsewhere or from foreign actors working from China? Referring to China as a single entity with a monolithic purpose and control seems to me to be far too simplistic.

      • emptywheel says:

        When discussing state actors (as this post was, explicitly in places), one usually can refer to a state actor’s name — China, Israel — without confusion.

        I agree that it’s likely that Clapper’s three levels of attribution suggest there may be a breakdown from the keystrokes to those directing in their ability to attribute the attack. But that’s precisely bc neither CLapper nor I are treating actors who are geolocated in China as China.

  2. P J Evans says:

    I wonder how far back they had to go before they found a backup they could be sure was before the database was hacked. (I doubt they keep all their OPM records on paper.)

  3. scribe says:

    One thing I found far more interesting was Clapper’s repeated assertion that the IC has seen no use of the Office of Personnel Management data.

    There’s a lot of data there. They gotta figure out what they’ve got, first, and how one part relates to another, second, and how it might be useful to their own objectives, third, before they can start planning on how to exploit it, fourth, or to use it, fifth. There are surely millions and millions of records in there, going back 30 years, and even throwing literal battalions of analysts at it will take a lot of time.
    Speaking from some experience in wading through databases, I can say that what you thought you got frequently reveals itself to be something other, once you get into the database. After a while good analyst can start seeing how different departments interact, the internal office politics and pecking orders, how well they comply with ISO, or similar. I’ve had it happen more than once where I noted something as “interesting” or anomalous or just a little off and, a week or two later, come across something else pretty well removed from the first which explained that the thing from the other week was something close to a Rosetta Stone. “Here’s the document that shows they’re bullshitting about the date they invented what the patent is about. I saw it two weeks ago and it didn’t make sense, but in light of this other document, now it does.” And then the interplay of the analysts discussing what they’re seeing makes a big difference – “what do you think about so-and-so?” or “Have you seen any X?” start to make a big impact on having things unfold. And sometimes those interesting things turn out to be dry holes, too.
    You oughta see the spreadsheets that get built to make sense of all the stuff. One case I worked on we had over a dozen people going for months (almost a year) through millions of documents. 50 page glossaries of abbreviations, stuff like that. It didn’t really start to make sense until they brought us foreign-language speakers in to work on the foreign-language stuff, which was where all the good info was buried. Even then, we were on the foreign language material for 4 months. And the spreadsheets and connections that get built in the minds of the analysts are frequently more involved and accurate than the stuff that gets written down.
    Keep in mind, too, that as good as the Chinese [or whomever] might be with their English, they still have to get enough people skilled enough in the foreign language and understanding of the culture – and corporate culture – to see where something fits, or doesn’t. They’re not likely to hire people who spent a lot of time here, on the assumption they were turned by us at some time. Only after all this can they then start figuring out what to do with it. Let alone actually do anything.

    Apparently, not everyone in the IC is completely convinced China did this. This is the kind of statement we never saw, as far as I remember, with regards to the Sony hack (though, admittedly, it’s a lot easier to make unsubstantiated accusations against North Korea than China). Are people really not convinced?

    Two takes on this. One, if IC comes out and says “were convinced we know who did this” or “we’re pretty sure we know who did this” or similar, then the next thing Congresscritters will start screaming for is “why haven’t you done something to them”. And Congressman Billybob from Up In the Holler will demand we nuke Peking. Today. I would suspect we’re not really in a position to do something that radical, nor do we have the tools cyberwise or otherwise. OTOH, if the IC says they’re not sure, then they don’t have to answer “why haven’t you done something?” but will have to answer “what are you doing to find out who?”, which they can answer “we’re working very hard using the whole panoply of investigative and analytical techniques and tradecraft” or similar go-away-and-leave-us-alone bullshit.
    Second, by denying that they’re sure they know who did this, they do keep their own folks from getting soft analytically and concentrating on one target when, in fact, it could be a different one. There’s any number of ways for malefactors to hide or masquerade on the internets and we could wind up analyzing, exploring, hacking or going after the wrong guys.
    Of course, we literally could be unsure or ignorant of who did it, too.
    Why no such reticence with No. Korea? Anything we would do to them would not materially diminish their standard of living nor, given the totalitarian nature of their state, likely their military as well. They probably air-gapped all their good stuff. They have the bodies to throw at problems that a developing consumer economy like China’s does not, so the inconveniences of air-gapping would not be a big deal that way. And no one’s getting a better offer from a widget factory there, so they’ll stay on the job.

  4. bevin says:

    Scribe, does it ever occur to you that repeating these crude propaganda memes regarding North Korea verges upon racism?
    It really is hard to understand why, almost seventy years on, so many people refuse to progress beyond the black and white Manichean cartoon version of Korean history, whilst also refusing to see why North Koreans, still traumatised by the most ruthless and genocidal bombing campaign in history, are inclined to take a similarly un-nuanced view of your country.
    Peace and understanding really do go together.
    Bruce Cumings’s The Korean War helps put things into perspective.

    • orionATL says:

      it only took the russians 70 years to get rid of their communist dictatorship and that was with the trauma of stalin’s purges (50 mill souls was it ?) AND hitler’s world war ii.

      north korea’s dictatorship is still going strong. and what’s your excuse?

      my view:

      russia = big area, large population, difficult to maintain control.

      n. korea = small area, small population, easy to maintain control.

  5. bloopie2 says:

    Good news – the ‘dancing baby case’ court has ruled that fair use must be considered before sending a DMCA takedown notice. Finally a bit of common sense to hold up against overbearing copyright owners.

  6. jerryy says:

    That long game approach can be finessed if you have the patience for it. Look at the Katrina disaster for example. The political leadership on all levels messed up and well, we have to live with what happened. Now suppose you wish to undermine some other government and you have access to the kinds of information these years of hacks have been skimming out, cream of the crop information, so to speak.
    You do not need to have sleeper agents with sworn alliegiences buried deep in the infrastructures, ready to go upon command. Just, instead, promote the careers of the incompetent over those you know are not as pliant as you think you need and let the Peter Principle do its work. No need to take over a country when it can do your bidding.

  7. wallace says:

    quote”My working definition of whether it’s an attack or not and my characterization of it not being an attack in that there was no destruction of data or manipulation of data, it was simply stolen.”unquote

    Stolen? As in..the OPM doesn’t have it anymore? How would they know it wasn’t destroyed..or..manipulated if they don’t have it? ie…if someone steals my car, I wouldn’t know what they did with it, right? Now, if they COPIED it..that’s a whole nuthr animal. Not being a computer techie type, how does one know something digital has been copied?

  8. orionATL says:

    i think , and have thought for some time, that it is a mistake not to listen closely to what clapper ssys (as ew is doing here). he lies overtly about what he feels he must lie about, but i have a sense he encompasses quite a bit of accurate revelation in his public commemtary.

    just wait until you can compare clapper with jeb bush’s appointee. then i think you would see all lies all the time or, more likely, no communication at all.

  9. orionATL says:

    on what history teaches about stuxnet, backdoors, encryption compromise and others of our government’s hyperclever technologically oriented spyxploits:

    […The term rootkit or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted “root” access.[3] If an intruder could replace the standard administrative tools on a system with a rootkit, the intruder could obtain root access over the system whilst simultaneously concealing these activities from the legitimate system administrator. These first-generation rootkits were trivial to detect by using tools such as Tripwire that had not been compromised to access the same information.[4][5] Lane Davis and Steven Dake wrote the earliest known rootkit in 1990 for Sun Microsystems’ SunOS UNIX operating system.[6] In the lecture he gave upon receiving the Turing award in 1983, Ken Thompson of Bell Labs, one of the creators of Unix, theorized about subverting the C compiler in a Unix distribution and discussed the exploit. The modified compiler would detect attempts to compile the Unix login command and generate altered code that would accept not only the user’s correct password, but an additional “backdoor” password known to the attacker. Additionally, the compiler would detect attempts to compile a new version of the compiler, and would insert the same exploits into the new compiler. A review of the source code for the login command or the updated compiler would not reveal any malicious code.[7] This exploit was equivalent to a rootkit.…

    …The first malicious rootkit for the Windows NT operating system appeared in 1999: a trojan called NTRootkit created by Greg Hoglund.[8] It was followed by HackerDefender in 2003.[1] The first rootkit targeting Mac OS X appeared in 2009,[9] while the Stuxnet worm was the first to target programmable logic controllers (PLC).[10] …]


    the chinese seem to prefer using low-tech, no-tech phishing.

  10. Rayne says:

    I find it interesting that two other kinds of databases are under rolling attacks—breaches of security exposing proprietary data.

    Dating websites — Ashley Madison wasn’t alone. OKCupid may have been breached more than once. Adult FriendFinder announced it was breached in May, and PlentyOfFish disclosed it had been breached only this past month. Why so much activity in one industry?

    Healthcare insurers/providers — last week Rochester NY-based Excellus BlueCross BlueShield advised it had been breached, having learned of the exposure on 05-AUG. This was lost in the heated pushback at FireEye which had been looking at other healthcare providers after the OPM hack.

    Is somebody looking to match certain health events against dating behavior…and perhaps among persons of interest in the OPM data?

    • P J Evans says:

      That’s an interesting suggestion. (I’d also add cross-referencing just the databases from the dating sites might be interesting. I’d bet there were people who were listed in all of them.)

      • jerryy says:

        It could be the needed due diligence, if “you” can grab or manipulate the records, so can “others”, so “you” need to make sure what “you” got is good.
        These rolling hacks also follow a pattern I have seen: if I sign a petition sponsored by a religious-based group, within a day or so, my spam folder will get a lot of requests to join dating sites — of that same religion that is now claiming me as a member in follow-up petitions — followed in another day or so by more email spam offering me treatments and various sex enhancers and then cures for sexually transmitted diseases. This happens like clockwork. Maybe the same crew is moonlighting.

  11. orionATL says:

    blackmail and green money.

    you could count some opm data for some individuals in on this, but the pom data is nowhere near as rich in “operable” data.

Comments are closed.