Posted on 04/28/2015 4:57:53 PM PDT by markomalley
Newly revealed information about how hackers broke into a company conducting millions of background investigations on national security employees shows the lengths to which attackers are willing to go to steal U.S. secrets.
There is a systemic effort underway by China and other adversaries to crib sensitive data on powerful people and covert operators in Washington, intelligence analysts say. Hacks at employee vetters USIS, KeyPoint, and the Office of Personnel Management, as well as major federal health care provider Blue Cross Blue Shield, are cases in point.
At USIS, cyber snoops deployed spyware custom-designed to capture screenshots only when a background check window was open, according to Stroz Friedberg, a digital forensics firm started by former FBI agent Edward Stroz.
"The attacker installed screen-scrapping malware on systems and specifically configured that malware to grab screen shots only when background investigations-related applications were being displayed on the screen," Stroz Friedberg Managing Director Bret Padres said in a September 2014 letter to USIS' attorneys, which was obtained by Nextgov. USIS is fighting a $1 billion Justice Department lawsuit amid accusations the firm submitted incomplete background checks.
The use of malicious code that only executed under certain circumstances implies the hackers didn't want to raise alarms," said Richard Barger, chief intelligence officer at ThreatConnect and a former Army intelligence analyst. "Many of those background check systems are very highly audited."
The perpetrators snuck in through a hole in the network of one of the companys suppliers, according to Strozs letter. The compromised network, which stored enterprise resource planning software, was attached to USIS' network. The name of the vendor is not identified in the report.
"The attacker was able to navigate from the third-party-managed environment into the USIS network in late [redacted] by successfully brute-forcing a password on an application server," said Stroz's Padres, referring to a hacking technique that systematically checks all possible passwords. "Once the attacker was able to log in to that server, the attacker installed a malicious backdoor, an entryway to come and go as often as the intruders pleased.
Well over 27,000 personnel seeking security clearances likely were affected by the USIS incident, Rep. Elijah Cummings, D-Md., the top Democrat on the House Oversight and Government Reform Committee, said last week.
USIS officials declined to comment beyond what was written in the Stroz forensics analysis. Stroz deferred to USIS.
A Dossier on U.S. Movers and Shakers?
By linking information from government personnel databases and health care databases, interlopers can obtain a window into the family lives of federal employees who might be susceptible to bribery or blackmail, some national security experts say.
The breach of an Anthem health care database last fall affected federal employee subscribers as well as BCBS federal members who aren't covered by Anthem but received BCBS services in a state where Anthem operates.
Anthem says, at this point, there is no indication diagnosis or treatment information was compromised by the attackers.
But if I know you have a clearance from the USIS breach and I know that maybe your husband or wife has cancer from the Anthem breach, maybe I can approach you and say: 'You work at Langley. You've got access to sensitive information. Maybe if I give you $50,000 a year just to tell me a little bit about what you do, maybe I can eventually convince you to betray your country,'" Barger said, as an example of how medical data could be used to recruit human assets.
Other intelligence specialists say the trespassers certainly had serious financial backing, but would not go so far as to say they were state sponsored.
Somebody on the other side of this attack had to come into work every day and check on these systems -- and make a decision on when are we going to start being more proactive. That requires people. That requires planning. That requires resources, said Ron Gula, chief executive officer of Tenable Network Security and a former National Security Agency researcher.
The scenario suggests nation-state involvement but perhaps other well-heeled, tech-savvy entities had reason to want the biographies of valuable U.S. personnel.
"Folks who do classified, cleared work, they are all hurting for people, Gula said. Every one of them is trying to get the next cleared cyber genius. They are all competing, and it is very cutthroat.
All Hillary had to do was fetch FBI files.
One reason they may be going after this type of data is that a lot of background investigations include a massive financial disclosure. If you get all the associated data on somebody then you have to potential of hitting their bank and brokerage accounts. Sure am glad they computerized all that stuff so it is easier to steal.
> One reason they may be going after this type of data is that a lot of background investigations include a massive financial disclosure. If you get all the associated data on somebody then you have to potential of hitting their bank and brokerage accounts. Sure am glad they computerized all that stuff so it is easier to steal.
I have over 20 years experience in fraud cases and doing background checks. I agree to some extent but the majority of background checks don’t typically list financial data unless they’re for higher level positions where trust is involved. I agree that they’re after the vital stat info such as DOB, SSN, address, phone numbers, etc...anything that the bank uses to verify identities. This info is key to getting access to financial info when the perps start dumping accounts and committing credit card fraud.
There’s another angle to this though. I think the powers that be want that type of data to be available to the feds only. The tyrants are tired of the public being able to check them out. If they draw enough attention to data breaches the feds can walk in, close off access to the data, protect themselves, and look like they’re “saving the people from hackers” but the unintended consequences will shut down a large segment of the economy particularly in the risk assessment fields (lending, insurance underwriting, employment verification / background checks, etc...and a lot more...)
A brute force passing hacking program worked? Wow. I thought the days of that working were over. Guess not...
The people being targeted are the Feds. These background investigations were all contracted out by OPM.
>The people being targeted are the Feds. These background investigations were all contracted out by OPM.
that’s the appearance though having been in the unintelligence industry or many years, the “truth “is often what the puppetmasters tell you it is, not what it really is...
You are totally off base. This was a huge breach, and they are treating it like a simple attempted identity theft. It was not.
This was Standard Form (SF) 86 data for Federal clearance at the TS level—it lists everything back to kindergarden.
> I’ve conducted SF-86s. I know exactly what’s in them. They’re about 25 plus pages long last I worked on them. They’re most likely fishing for intel to target key personnell to infiltrate for national security secrets. They’ll probably use the info to hack their electronic communications and use the info to compromise and blackmail them if needed. There’s just about anything a spy would ever need in those files.
I think there’s more to this story. I just find it hard to believe a brute force password hacking program allowed them access. Mosf government computer security systems would lock them out after a few bad tries. Now I know this sounds like they hacked a government contractor that does the checks (I’d guess Kroll because they’ve been doing investigations for government agencies for years) and I find it hard to believe they or anyone else doing SF-86s would have a system that could be hacked by a cracking program like that... Just doesn’t wash....
I don’t know how it was cracked, but it really pisses me off. The personal information is much worse than financial crap.
Getting a letter telling you that OPM will pay to monitor your credit free for one year doesn’t quite make up for this breach. My greatest concern is that we don’t know the players—this could be used for compromise, or it could possibly make a nice hit list. From a security standpoint, it is a complete clusterf%#k!
> Getting a letter telling you that OPM will pay to monitor your credit free for one year doesnt quite make up for this breach. My greatest concern is that we dont know the playersthis could be used for compromise, or it could possibly make a nice hit list. From a security standpoint, it is a complete clusterf%#k!
Agreed.
“Well over 27,000 personnel seeking security clearances likely were affected by the USIS incident, Rep. Elijah Cummings, D-Md., the top Democrat on the House Oversight and Government Reform Committee, said last week.”
I’ve heard him speak. I’m not sure he could articulate a thought that big...unless somebody else wrote it down for him.
So you were already contacted? My agency sent out a blanket warning, but I haven’t received a notice. I did have a renewal done this year. Hoping for the best, expecting the worst. Not the first time my data has been compromised. Happened numerous times in the military, but I am worried about my financial disclosure being attached.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.