US Officials announced on Thursday that they are investigating a massive data breach involving the personal information of four million current and former federal employees. Report indicate attackers compromised systems belong to the US Office of Personnel Management (OPM), the human resources department for the federal government that conducts background checks on employees and possibly other federal agencies.
According to reports, US law enforcement believes that a foreign entity might be responsible for the cyber intrusion against the OPM, but current FBI investigations have yet to determine facts.
Malicious activity that affected OPM’s information systems was reportedly seen in April and was detected by the Department of Homeland Security via its intrusion detection system, Einstein. The recent hack affected OPM’s IT systems, potentially compromising the personal information of federal employees. Since the attack, OPM announced that it has implemented additional security measures for its networks, offering credit reports access, credit monitoring, and identity theft insurance.
Last year, hackers broke into the OPM’s computer networks that housed personal information of federal employees. The attack reportedly appeared to have targeted the files of employees who have applied for top-secret security clearances, which listed their foreign contacts, previous jobs, and other sensitive personal information. Allegedly, no personal data appeared to have been stolen, and that the intrusion was apparently detected and blocked. Unfortunately, despite supposed previous security countermeasures, the recent hack against the OPM proved that organizations can always be susceptible to an attack, hence, assuming a compromise could be a better way to prevent and carefully plan for likely future attacks.
Obtaining access to the confidential information is usually just the first step. It’s highly likely that the stolen information will be used in secondary infections targeting the victims or their associates. The attackers will also “scrub” the stolen data, sifting to find valuable figures to target, like high profile individuals or even key agencies. The stolen information can allow the threat actors to create attacks specific to the targeted individuals.
Furthermore, going after the human resources arm of the US federal government allowed the attackers to gain information on several, if not all, government agencies. This specific attack shows that threat actors are concentrating on organizations that hold information on several potential targets—thereby eliminating the need to perform multiple, individual hacks to get all the data they want.
Targeted Attack at Play?
This incident reminds us about the importance of defending against targeted attacks, a threat that aims to exfiltrate data from target systems. Contrary to some notions, data exfiltration do not happen overnight, and because a targeted attack involves detailed reconnaissance work to gather information, these attacks usually take longer to plan and execute.
A targeted attack is composed of several components: intelligence-gathering, point of entry, command and control communication, lateral movement, asset/data recovery, and data exfiltration. However, most attacks aren’t a one-time thing. Threat actors often try to maintain access in the targeted network to perform further exfiltration. Hence, attacks are often cyclical in nature with overlapping stages. Because a targeted attack can routinely defeat and evade security measures, it could result in strategic chaos, massive costs, and crippled careers. Additionally, it can manage to stay undetected in a network or a system for a long time while successfully rendering its intended payload.
With targeted attacks on the rise, the question is no longer if organizations will fall victim to a targeted attack but when. In such an event, organizations need to prepare, and respond accordingly, and eventually learn from it. Educating employees on the importance of protecting data is crucial to enable a good security mindset. In addition, organizations are encouraged to reach out to partners, stakeholders, and customers to comprehensively communicate the scope of the attack, including important steps to take to reduce the damage.