This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.nytimes.com/2015/06/06/us/chinese-hackers-may-be-behind-anthem-premera-attacks.html

The article has changed 6 times. There is an RSS feed of changes available.

Version 3 Version 4
Chinese Hacking of U.S. Data May Extend to Insurance Companies U.S. Was Warned of System Open to Cyberattacks
(about 9 hours later)
SAN FRANCISCO — The same Chinese hackers who breached the records of at least four million government workers through the Office of Personnel Management appear to have been responsible for similar thefts of personal data at two major health care firms, Anthem and Premera, according to cybersecurity experts. WASHINGTON The inspector general at the Office of Personnel Management, which keeps the records and security clearance information for millions of current and retired federal employees, issued a report in November that essentially described the agency’s computer security system as a Chinese hacker’s dream.
The multiple attacks, which began last year and were all discovered this spring, appear to mark a new era in cyberespionage with the theft of huge quantities of data and no clear motive for the hackers. But by the time the report was published, Chinese hackers had already cleaned out tens of thousands of files on sensitive security clearances, and were preparing for a much broader attack that ultimately obtained detailed personal information on at least four million current and former government employees. Even today, the agency is struggling to patch numerous vulnerabilities.
There is no evidence that the data collected was used for criminal purposes like faking identities to make credit card purchases. Instead, the attackers seem to be amassing huge databases of personal information about Americans. Some have high-level security clearances, which the Office of Personnel Management handles, but millions of others do not, and the reasons for their records being taken have puzzled investigators. A number of administration officials on Friday painted a picture of a government office struggling to catch up, with the Chinese ahead of them at every step.
All of the attacks have one thing in common: The United States government has traced them to China, though it is unclear whether the attackers are working for the state. The agency did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside to use the kind of basic authentication techniques that most Americans use for online banking. It did not regularly scan for vulnerabilities in the system, and found that 11 of the 47 computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”
Based on forensics, security experts believe the attackers are not one of the hacking units of the People’s Liberation Army, which were named in a federal indictment last year that focused on the theft of intellectual property. Researchers say these hackers used different tools than those utilized by the Liberation Army’s Third Department, which oversees cyberintelligence gathering. But that does not exclude another state-sponsored group, or the adoption of new technologies that are harder to trace. The problems were so severe for two systems that hosted the databases used by the Federal Investigative Service, which is responsible for the background investigations for officials and contractors who are issued security clearances, that the inspector general argued for temporarily shutting them down because the security flaws “could potentially have national security implications.”
What marks all of the attacks is the scale and ambition of the data sweeps. When Premera said it was the victim of an attack that exposed medical data and financial information, it appeared to involve 11 million customers. Anthem’s involved upward of 80 million social security numbers. Medical records, like the government’s personnel records, contain Social Security numbers and birth dates; the medical data sometimes is linked to bank accounts as well. Hackers in China apparently figured that out months before the report was published. Last summer a breach was detected that appeared aimed directly at the security clearance records information that could help a determined hacker gain access to email or other accounts belonging to those entrusted with the nation’s secrets.
In February the F.B.I. issued an alert, circulated to a restricted number of major firms and first revealed by Brian Krebs, a security researcher, that said bureau investigators had “received information regarding a group of cyberactors who have compromised and stolen sensitive business information and personally identifiable information (P.I.I.) from U.S. commercial and government networks through cyberespionage.” While upgrades were underway, a much broader attack occurred, apparently starting in December. Before it was detected, personal information on at least four million people was apparently downloaded by a patient, well-equipped adversary and the number is likely to grow.
But the theft of personal information has typically been the realm of cybercriminals, who sell it on the underground market where it can be used to break into someone’s email, bank or trading account, typically for identity theft. In this case, however, researchers say the group that stole the personal information was known for cyberespionage, which indicates that spies are no longer stealing just American corporate and military trade secrets, but also personal information for some later purpose. As one senior former government official who once handled cyberissues for the administration, who would not speak on the record because it could endanger the person’s role on key advisory committees, said on Friday, “The mystery here is not how they got cleaned out by the Chinese. The mystery is what took the Chinese so long.”
The intrusions also suggest that President Obama’s efforts over the past three years to engage China’s leadership in a dialogue that would limit cyberattacks has failed. The pace of the attacks is unabated, and the scope has grown. Chinese officials say they, too, are victims, and on Friday the Chinese foreign ministry said the United States was leaping to conclusions about the source of the attacks based on evidence it has not made public. Beijing dismissed the United States allegations that China was the source of an attack on federal workers’ data as “unscientific and irresponsible.” Researchers and government officials have determined that the Chinese group that attacked the office was probably the same one that seized millions of records held by the health care firms Anthem and Primera. Based on the forensics, experts believe the attackers were not part of the People’s Liberation Army, whose Third Department oversees much of the military’s cyberintelligence gathering. Rather they believe the group is privately contracted, though the exact affiliation with the Chinese government is not known.
“We hope the American side won’t continue this layer upon layer of suspicion and groundless accusations,” Hong Lei, a Ministry of Foreign Affairs spokesman, said at a regularly scheduled news conference. For the Obama administration, which came to office holding East Room events on cybersecurity and pressing Congress, for years, to pass legislation that would allow the private sector to share information with the government, what has happened at the Office of Personnel Management can only be described as a case study in bureaucratic lethargy and poor security practices.
Just what the attackers plan to do with Social Security numbers and other personal information for four million current and government workers, and millions more insured by Anthem and Primera, is not yet clear. In the most egregious case cited by the inspector general, outsiders entering the system were not subjected to “multifactor authentication” the systems that, for example, require a code that is sent to a cellphone to be entered before giving access to a user. Asked about that in an interview, Donna Seymour, the chief information officer at the Office of Personnel Management, said that installing such gear in the government’s “antiquated environment” was difficult and very time consuming, and that her agency had to perform “triage” to determine how to close the worst vulnerabilities.
“We believe they are creating a tremendous database of P.I.I. that they reach back to for further activity,” said John Hultquist, the senior manager of cyberespionage threat intelligence at iSight, a security firm. “It looks like they are casting a very wide net, possibly for follow-on operations or identifying persons of interest, but we’re in a new space here and we don’t entirely know what they’re trying to do with it.” The agency now plans to install two-step authentication across its network, Ms. Seymour said. A longtime data security official, she also defended the decision to ignore the inspector general’s advice to shut down two systems that contain the security clearance information. Ms. Seymour said that the investigators were using an outdated assessment of the security measures and that the agency was in the process of getting tighter controls when the intrusion happened. Another senior official said that with the agency under pressure to clear a huge backlog of security clearances, halting the process was “a nonstarter” with Congress.
Mr. Hultquist and his team had been investigating the attacks at Anthem and Premera, in which hackers started naming their web domains after their targets. They named one of those domains Wellpoint, though with only with one “l,” to mimic a site used by Anthem, and soon iSight’s researchers saw the hackers creating new infrastructure for other attacks. They also created some other new sites, including two named for the Office of Personnel Management, before they breached the federal agency. In every case, the group went after personal information. During the installation of new security scanning software, officials said, they found evidence of the broad downloading of millions of files.
However, iSight stopped short of pinning the attacks on Chinese hackers. But administration officials said a lack of management focus on the problems contributed to the slow response combined with a lack of focus on protecting systems that are not part of the national security infrastructure but that contain large amounts of data. And a number of administration officials in interviews on Friday painted a picture of Chinese adversaries who appear to be building huge databases of information on American citizens, useful for intelligence gathering and other purposes.
The attack at the Office of Personnel Management is one of the largest breaches of federal employees’ data. It is also the third major intrusion of a federal agency in the last year. Last year, both the White House and State Department were breached by hackers that government officials believe were Russian. “They didn’t go to sell the data, which is what criminal groups usually do,” said James Lewis, an expert at the Center for Strategic and International Studies. “It’s biographic databases that really give an intelligence benefit and that get into an opponent’s skin.” Such databases indicate where a government official was posted, and security clearance information would list their foreign contacts useful if there was an effort to track down Chinese citizens in contact with Americans.
It is unclear why American government agencies were vulnerable to such an extent, or why those agencies left critical data unencrypted. A report from the Government Accountability Office last year found that government agencies have inadequately responded to cyberbreaches. The report found that 24 major federal agencies had been breached, and that in about 65 percent of cases, the agencies did not completely document their response to cyberincidents. The chronology of attacks against American targets matches China’s stated economic and strategic objectives, members of Congress were told in briefings held by the Department of Homeland Security and other agencies. “I’m angry and frustrated that we are at a place where this kind of attack can be successful,” said Rep. Jim Langevin, a Rhode Island Democrat who sits on both a subcommittee on cyber issues and the Armed Services Committee. The attackers, he said, “could have been inside the systems for weeks or months.” In fact, investigators believe they were there for at least three months, before being detected in April.
American officials are scheduled to meet with their Chinese counterparts at an annual “Strategic and Economic Dialogue” later this month and government officials have said they will make cyberattacks a top item for discussion. But they have done so before. Government officials in the United States have been tracking several such privately contracted Chinese groups since 2008 and believe they operate at the behest of the state. One, based out of Guangzhou in southern China, has been tied to thousands of attacks on victims in the United States, Britain, Canada, Europe, Russia and Africa that develop missile, satellite, space and nuclear propulsion technology.
In an attempt to deter the kinds of attacks that have left federal agencies reeling, President Obama signed a new executive order in April that established the first sanctions aimed at curbing foreign cyberespionage and theft. The order authorized financial and travel sanctions against anyone participating in online attacks that posed a threat to the “national security, foreign policy, or economic health or financial stability of the United States.” But so far the new order has not been used. At the White House, officials were struggling to explain on Friday how the breach could have happened after warnings from the inspector general and others. Michael Daniel, the White House’s top cyberofficial, declined to speak on the record about the attack, and Lisa Monaco, who has been handling cyberissues as one of Mr. Obama’s top national security officials, declined to be interviewed.
In this case there seemed to be little doubt among federal officials that the attack was launched from China. But the administration did not publicly identify Chinese hackers as the culprits, perhaps because it is difficult to definitively attribute the source of cyberattacks and to back up such an attribution without divulging classified data, or perhaps because of a broader diplomatic strategy. “The threat that we face is ever-evolving,” said Josh Earnest, the White House press secretary. “We understand that there is this persistent risk out there. We take this very seriously.”
The F.B.I. said it was working with other agencies to investigate the matter. “We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace,” Joshua Campbell, a spokesman, said in a statement. Mr. Earnest said Mr. Obama’s efforts to push legislation would bolster the nation’s data.
“We need the United States Congress to come out of the Dark Ages and actually join us here in the 21st century to make sure that we have the kinds of defenses that are necessary to protect a modern computer system,” he said.