The U.S. government is worried that suspected China-based hackers who raided more than 4 million federal employment files will use the data to break in to highly secure computers and plunder secrets about the U.S. military, economic strategy or foreign relations.
Federal officials said Friday the cyberattack appeared to have originated in China, but they didn’t point fingers directly at the Chinese government.
A spokesman for the Director of National Intelligence declined to discuss whether there was evidence against China or whether intelligence agency employees were among those whose information was compromised.
The National Security Agency and the FBI have improved their ability to attribute cyberattacks in recent years, officials have said. Often, Chinese cyberattacks have identifiable signatures, including the types of malware used. The NSA also uses its more traditional intelligence-gathering methods to trace the origins of cyberattacks, including intercepting the phone calls and emails of the hackers.
Federal employees were told in a video to change all their passwords, put fraud alerts on their credit reports and watch for attempts by foreign intelligence services to exploit them. That message came from Dan Payne, a senior counterintelligence official for the Director of National Intelligence.
“Some of you may think that you are not of interest because you don’t have access to classified information,” he said. “You are mistaken.”
White House spokesman Josh Earnest said he couldn’t divulge much while the case was under investigation. Still, he noted that investigators “are aware of the threat that is emanating from China.”
One U.S. official said the breach was being investigated as a national security matter, suggesting authorities believe a nation was behind it rather than a more loosely organized gang of cybercriminals. The official was not authorized to discuss an ongoing investigation and spoke only on condition of anonymity.
The break-in is an embarrassment for the U.S. government’s vaunted computer-defense system for civilian agencies — dubbed “Einstein” — which is costing $376 million this year alone. Einstein is supposed to detect unusual Internet traffic that might reflect hacking attempts or stolen data that is being transmitted outside the government.
This latest breach occurred in December but wasn’t discovered until April, officials say. It was made public Thursday.
“The scale of it is just staggering,” said Rep. Adam Schiff, the top Democrat on the House Intelligence Committee. There is no telling how many more attacks could be spawned by the information stolen in this case, he said.
Although most Americans think of identity thieves as stealing from credit card or bank accounts, the information about civilian federal workers has other value for foreign spies.
“They’re able to identify people who are in positions with access to significant national security information and can use personal data to target those individuals,” said Payne. He said details from personnel files could be used to craft personalized phony messages to trick workers. Federal employees who think they are opening an email from co-workers or family members might infect their computers with a program that would steal more information or install spy software.
Spies also could use details about an employee’s interests or background to befriend them and try to manipulate them into revealing secrets.
Kevin Mitnick, a former hacker who now runs Mitnick Security Consulting of Las Vegas, called confidential details about federal employees “a gold mine.”
“What’s the weakest link in security?” he said. “The human. Now you know all about your target.”
The hackers may have made off with even more information about workers who undergo security clearance background checks.
That information includes the names of family members, neighbors and old bosses, plus reports on vices, arrests and foreign contacts.