The Chinese hackers who are believed to have cracked into the federal government’s networks might not be back for a while.
They got what they came for.
“I think they have 95 percent of what they want from both U.S. industry and government,” said Tom Kellermann, chief cybersecurity officer at security research firm Trend Micro.
Having already obtained private information on up to 14 million federal employees — including Social Security numbers, arrest and financial records, and details on mental illness and drug and alcohol use — China’s hacking teams can now retreat to the shadows.
“For this point in time we won’t see another massive attack like this. Instead, it will be more targeted ones,” said Tony Cole, global government chief technical officer for security firm FireEye, which has conducted extensive research on Chinese cyber campaigns.
U.S. officials are still trying to figure out the full scope of the data breach, which is believed to have affected security clearance information for the military and spy agencies.
While the United States has not publicly blamed China, investigators privately say China was behind the cyberattack.
The OPM hacks have likely helped China fill out an exhaustive database of federal workers that their teams have slowly been building for over a year.
“Knowing almost every person is incredibly helpful,” said Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, which monitors critical infrastructure attacks. “That type of information they presumably never had access to before.”
Because the hack went undiscovered for a year, the hackers likely had time to do an exhaustive sweep through federal networks.
“If somebody was in last year and they had that much time,” Cole said, “then the odds are that they have a huge cache and have really taken all the crown jewels in that system.”
It appears the digital infiltrators were casting a wide net, similar to the tactics used when targeting health insurers like Anthem and Premera Blue Cross.
While those attacks compromised the Social Security numbers and personal information of more than 90 million people, researchers suspect that the goal was collecting information on U.S. government officials.
With the OPM hack, they likely hit the mother lode.
With a deep data set now safe in hand, Chinese hackers can shift to a “much more clandestine” stage of espionage, Kellermann said.
“They’re going through this data now, and more than likely they're looking for a candidate on whom they may actually want to try and gather more data,” Cole said.
Cole said these digital warriors are looking for exploitable personal details — people who have seen counselors or psychiatrists, for instance.
The thought, Cole said, is “Let’s find out who the counselor is, go crack their system.”
“There's plenty of information that they could still collect in terms of full medical records or more details or financial records,” Alperovitch said.
Beijing officials aren’t going to lose an appetite for maintaining the most comprehensive database possible on U.S. workers, which is a valuable resource in the emerging era of cyber warfare.
Cole suspects the OPM hacking team left behind so-called “beachheads,” essentially undetected entry points that could allow intruders back into a network even after getting kicked out.
“It’s difficult to actually dig through and find all of those indicators,” Cole said. “The government does have some good experts, however, not a lot of them.”
In due time, the Chinese hackers will be back for more.
“They will always be interested in coming back for updates,” Alperovitch said. “The reality is these are campaigns. And persistent campaigns.”
“I have no worries,” he added, “about Chinese intelligence operatives being out of work any time soon.”