The four million federal workers who may have had their personal information hacked likely woke up this morning with a dominating question: How did this happen?
U.S. investigators believe Chinese hackers are responsible for the massive security breach at nearly every federal government agency. The national security community is now working under the assumption that the Chinese have hundreds of thousands of security clearance forms.
While investigations into what precisely happened are in progress, here’s one possible theory, shared by a U.S. official:
1. Let’s say there is a U.S. government agency — Agency X — that does not update its server operating system software patches. We don’t know which agency it is because the federal government doesn’t want to reveal everything it knows to the Chinese and the cyber links the agency had to the Office of Personnel Management.
2. Between one and two years ago, that agency gets flooded with broad based phishing emails.
3. That attack is successful, and the attacker, now known to be China, receives some replies from employees at Agency X.
4. Based on those returns, the attacker then moves to more targeted spear phishing attacks against Agency X.
5. At least one — or maybe more — of the spear phishing attacks is successful. This is first point failure from lack of patching, or quickly securing a hole in the system.
6. Now, the attacker has a toehold into Agency X on a deep level, beyond an individual.
7. The attacker then is able to find the unpatched vulnerability on the server software at Agency X. .
8. The attacker make his next move: Through that vulnerability, the attacker creates a fake administrator account and gave itself escalating privileges.
9. Now, the attacker deploys those privileges to create new user accounts at Agency X.
10. Those user accounts are used to spearhead phish and a return from OPM.
In April, the U.S. government learned of the ten-step plan to hack it. For two months, the federal government didn’t reveal the information publicly because they had not yet cleaned up the entire system. Nor did federal officials want the Chinese to know they were onto them.
So the American government also created a fake system, the U.S. official said, which absorbed the Chinese attacks without them knowing that U.S. officials had launched what is called a cyber “honeypot” that imitated the real deal.
The bottom line, according to the U.S. official? Attackers eye unpatched vulnerabilities, and the Chinese found one.
