New questions are emerging following Thursday’s announcement of a massive cyberattack that targeted the private records of about 4 million current and former U.S. federal employees.
Analysts are asking why it took the U.S. government so long to make it public. U.S. officials say they are investigating whether Chinese-based hackers are behind the attack.
Investigators say it appears the attack began sometime late in 2014, possibly in December, and continued until it was first detected in April 2015. The hackers reportedly used what’s called a “zero-day exploit” – a previously undetected vulnerability that often presents serious security risks, but once detected can be permanently patched.
But it wasn’t until Thursday that the U.S. Office of Personnel Management, or OPM, announced the breach.
Among the information in those files: details such as names, addresses, family members, education, Social Security numbers, security clearances, medical and other histories.
Earlier this year, at a meeting with tech executives in Silicon Valley, President Barack Obama urged private firms to be more transparent in announcing cyberattacks, and to make such attacks public within 30 days of detection.
Time needed for investigation
When asked why authorities waited until June 4 to disclose the attack, OPM spokesperson Samuel Schumach cited the due diligence required for publicaly responding to an attack of this magnitude.
“With any such event, it takes time to conduct a thorough investigation, and identify the affected individuals,” he told VOA via email.
Despite its impact, the hack isn’t notable for its size.
Indianapolis-based Anthem health insurance announced earlier this year that medical records of nearly 80 million patients had been breached by hackers. Those attacks were later traced back to equipment in China, and Bloomberg News is reporting that those same servers and digital infrastructure were involved in the OPM hack.
U.S. officials said the attack appears to have originated within China, but have not yet linked the attack directly to the Chinese government.
China’s Foreign Ministry spokesman Hong Lei called the accusations “irresponsible” and noted that China also is a victim of cyberattacks.
But unlike data hacks that clearly target financial or credit records – such as the breach of customer credit card numbers shopping at Target stores in 2013 – analysts say the OPM attack appears to be more closely related to espionage than financial gain.
“This doesn’t look like cyber fraud, this looks like espionage,” said Kobi Freedman, founder and CEO of the cybersecurity intelligence-sharing firm Comilion.
Magnitude, target of attack
“Crime tends to address concrete data, like financial records or credit cards," he added. "The magnitude and the target indicate that it’s reasonable to assume that this was a state-sponsored attack.”
OPM has not yet disclosed the full range of information collected, saying only that targets appeared to be Social Security numbers and “other personal data.”
These are not the first large-scale cyberattacks traced to China.
In 2014, the FBI indicted five officers in China’s People’s Liberation Army, or PLA, for coordinating hacks on six U.S.-based corporations such as U.S. Steel and Alcoa.
Chinese officials have repeatedly denied any involvement in such attacks, saying the U.S. has never offered definitive proof of a hack directly traced back to Beijing.
“It’s actually very hard to trace attacks,” said Bruce Schneier, a leading cryptographer and author of the book Schneier on Security.
“When we can, it’s often because hackers have made mistakes in hiding their tracks and it’s not something we can do quickly. In other cases, we’ve known with reasonable assurance the attacks came from certain buildings and offices in China and that the government knew about it and approved it,” Schneier told VOA in an interview earlier this year.
Analyst Freedman compares digital forensics — tracking the source of a hack — to a police investigation.
“When you’re doing the forensics of an attack, there is a trace of fingerprints left behind starting from the hacked device or servers, deciphering which are the real and the fake clues, and then tracing the breadcrumbs back through the communications networks, hopefully right back to the source,” he said.
Source of attack
Brigham Young law professors Eric Talbot Jensen, a former Judge Advocate in the U.S. Army, says tracking cyberattacks is not all that different than identifying the source of a physical attack.
“Some people view attribution as a yes or no switch, [and] I don’t think it’s that way,” said Jensen, one of numerous contributors to the Tallinn Manual, a rulebook of sorts on cyber espionage.
“I think attribution’s a spectrum,” he said. “What a government really has to worry about is [whether] they have enough attribution to take the kind of action they want to take. If I’m at 70 percent attribution, I can be comfortable taking certain actions. If I’m at 80 percent, I might be comfortable taking even more actions.”
