Assignment 5

2

United States Office of Personnel Management (OPM) Incident 

Steven A. Bruner (4151593)

American Military University

ISSC630

17 April 2022

The US Office of Personnel Management (OPM) announced in July 2015 that it had been the target of a successful cyber-attack. The data that was leaked included extensive information about background investigations, security clearance applications and investigations, and fingerprint cards. The digital data breach was one of the most significant in history and its effects continue to be felt by both federal employees and their families. This post will provide a summary of the key aspects surrounding the case as well as some key or critical pieces of data found by investigators. Next, it will analyze what could have been done differently during this investigation based on this specific situation as well as share insight into investigative procedures. Lastly, it will give a few suggestions on what could be done better in terms of future such incidents.

Summary of Key Aspects of the Case

The OPM hack was an attack that began at least as far back as October 2014. It wasn't until May 2015 that the US government publicly acknowledged it had occurred. The hackers were able to obtain personal data on more than 22 million individuals. This included the names, addresses, and Social Security numbers of 4.2 million people; information regarding 1.1 million background investigations; and approximately 21.5 million sets of fingerprints, including 1.1 million that were not available elsewhere in federal databases or other sources (Finklea et al., 2015). In June 2015, the Office of Personnel Management announced that it had begun work to implement new security protocols and that the breach had not been fully contained.

Key or Critical Pieces of Data Found

Investigators were able to retrieve the malware used by the hackers. This "malware" had a unique signature; this is like when you have a computer virus, just as with malware, it will have some type of "signature" that identifies it. With this specific cyber-attack, it was a set of tools used known as "Dewdrop." They were able to identify those responsible for the attack by looking at the digital footprints they left behind. This included where they came from and where they went after they committed their crime or crimes. One of the more interesting things found was the way in which they were able to keep this breach under wraps for so long. They had been able to mask their tracks and hide their locations. It wasn't until they tried to move their data that they were caught (Finklea et al., 2015). They were moving it over the internet, something that normally is an easy task with all the tools available today. However, because of how clean this hackers work was, it made it easier for them to be caught as every time you go online you have a unique identifier (IP address). Investigators were able to identify four people responsible for this attack, three from China and another from Pakistan.

In terms of what could have been done differently, investigators were able to identify the individuals responsible for the attack and locations they were based out of. However, to stop this type of crime from happening again, it would be helpful to get a better understanding as to why they are doing this. Their reasoning is most likely going to give us some insight into how we can prevent similar attacks in the future. It is difficult to say whether investigators will ever be able to uncover a motive for this attack (Finklea et al., 2015). Even though they were able to identify who committed the attack and where they were located, they were unable to get any information as far as why they did it or how much data was taken before it was discovered.

In terms of search warrants and evidence that would be collected, investigators would need to gather certain types of information. Their first step is to identify the malicious code and who created it as well as where it originated from. Once they have determined who is responsible for this breach, they will gather all available digital data related to the case. This includes phone logs, financial records, emails, IP addresses used, social media accounts/profiles (Facebook and Twitter), and device data such as computer fingerprints or any digital artifacts left behind on a computer or mobile device.

Suggestions for Future Investigations

In terms of future investigations and how they could be improved, the OPM should make sure they have adequate security measures in place to prevent future breaches. They could also improve their communication with investigators to make sure they know when things happen and provide adequate information as soon as possible. Investigators should also make sure that an investigation has enough manpower to expeditiously complete a project.

I am not sure if there were any things that could have been done differently but I think we can all agree it was an incredibly large breach in terms of the amount of people impacted by this attack. It could have been prevented by establishing better security measures. This is concerning to me as more and more sensitive data is stored on the internet and many companies do not have adequate security measures in place. Although OPM worked quickly to notify individuals who were potentially impacted by this breach, I believe they could have done a better job of contacting all those potentially impacted by this attack. It is difficult to say whether investigators will ever be able to uncover a motive for this attack. Even though they were able to identify who committed the attack and where they were located, they were unable to get any information as far as why they did it or how much data was taken before it was discovered.

References

Finklea, K., Christensen, M. D., Fischer, E. A., Lawrence, S. V., & Theohary, C. A. (2015, July). Cyber intrusion into US office of personnel management: In brief. LIBRARY OF CONGRESS WASHINGTON DC CONGRESSIONAL RESEARCH SERVICE. https://apps.dtic.mil/sti/citations/ADA623611