Maksim Kabakou - Fotolia

Four million records exposed in second US agency hack in a year

Breach of four million records at US federal personal agency could be used for secondary attacks on other US government systems, security experts warn

Hackers have again broken into the computer network of the US government agency that stores personal information on all federal employees.

The Office of Personnel Management has announced that it was breached in December 2014, exposing the personnel records of up to four million current and former federal employees. 

Five months earlier, the agency reported that its computer network had been breached in March 2014, but claimed that there was no evidence that personally identifiable information was accessed.

Security experts say the breach is significant because the data harvested could be used for effective secondary attacks on other US government systems. The hackers reportedly accessed information that included social security numbers, job assignments, performance ratings and training information.

“This data could enable direct spear-phishing to yield access to deeper system access via credentials or malware, thus accessing more sensitive data repositories as a consequence,” said HP Security Voltage global director of product management Mark Bower.

“Beyond spear-phishing, knowing detailed personal information, past and present, creates possible cross-agency attacks, given job history data appears to be in the mix. The aim of this attack is likely to be gaining deeper access to other systems and agencies which might even be defence or military data, future economic strategy data, foreign political strategy, and sensitive assets of interest at a nation-state level for insight, influence and intellectual property theft," he said.

Bower added that the intrusion highlights hackers are capable of bypassing classic perimeter defences and data-at-rest security. “These new attacks can be neutralised only with more contemporary data-centric security technologies being adopted by the leaders in the private sector,” he said.

Read more about data breaches

This latest intrusion has also been attributed to Chinese hackers. US officials speaking on condition of anonymity said the hackers were state-sponsored, and private security firm iSight Partners said it has linked the intrusion to the same Chinese espionage group that hacked health insurance firm Anthem, reports The Washington Post.

Attackers undetected

Security experts say another important aspect of the breach is that the attackers had been inside the agency’s network four months before being discovered. The first intrusion at the agency in 2014 took more than three months to discover.

In the attack on Sony Pictures in late 2014, the main attack took place two months after the company’s network was breached, according to Resilient Systems chief technology officer Bruce Schneier.

“The initial strike was made through a spear-phishing attack in September 2014 that went “completely undetected” by Sony and enabled the attackers to obtain administrative credentials “pretty quickly” and spend a lot of time mapping the corporate network, and planning their attack, he told Infosecurity Europe 2015 in London.

Secure Channels CEO Richard Blech said the high-value data held by the agency should have all been deeply encrypted. “Their new tools that are detecting and alerting mean nothing if the data is still stolen. The goal is to leave data useless to the hacker when stolen,” he said.

In this latest breach of the US federal personnel agency, the hackers reportedly used a previously unknown cyber tool to take advantage of a vulnerability to gain access.

The number of unknown malware targeting organisations has increased exponentially, according to technical director at security firm Check Point, Thierry Karsenti.

“In 2014, 106 unknown malware types hit networks every hour, which was 48 times more than the 2.2 per hour reported in 2013. It’s a huge threat to all types of organisation that demands strong layers of security to defend against it,” he said.

According to senior manager at security firm Opswat, Tony Berning, when it comes to high security and classified networks it is important to secure the data flow by deploying one-way security gateways and ensuring that no information can leave the network.

“In addition, to ensure the highest protection against known and unknown threats, multi-scanning with multiple anti-malware engines should be deployed, leveraging the power of the different detection algorithms and   of each engine, and greatly increasing the detection rate of threats and outbreaks,” he said.

Read more on Privacy and data protection