Assignment 5

1

2

PSYCHOLOGICAL ASPECTS BEHIND THE OMP ATTACK

Steven A. Bruner (4151593)

American Military University

ISSC630

24 April 2022

PSYCHOLOGICAL ASPECTS BEHIND THE OMP ATTACK

In June 2015, the US OPM stated that their data innovation frameworks had been attacked through cyberspace. The personal information of 4.2 million current and former government employees may have been compromised due to this incident. OPM then discovered a variety of cyber-attacks during the same month that compromised the information of 21.5 million individuals who had records in databases, including background checks on potential housing candidates

This breach was one of the most significant to occur in a governance framework in recent memory. The Einstein framework of the Office of Country Security (DHS) was used to identify this incident. As part of its Einstein framework, the DHS keeps a close eye on government Internet use for any signs of potential cyber threats (Fruhlinger, 2020). The attackers were able to get in using security credentials belonging to a KeyPoint Government Solutions salesperson. This person did “federal background checks and worked on OPM frameworks” to get access to OPM frameworks (Hinck & Maurer,2019).

“At an insights conference, an admiral, executive of the National Security Organization (NSA), and chief of the U.S. Cyber Command, Michael Rogers, did not reveal who may be responsible for the hack (es)” (Hinck & Maurer,2019). However, James Clapper (Chief of National Insights) said the next day in the same speech that China was the leading suspect in the breaches. If China had access to the material gleaned during the attack, it was unclear how it may utilize it.

Only a few experts disagreed with the theory that China is compiling a comprehensive list of government officials to identify US government officials and what their specific roles are. Spearphishing emails may trick recipients into establishing an interface or connection that will provide access to the general computer framework, which is another option for discovering the data.

Yu Pingan

The FBI charged Chinese malware broker Yu Pingan for his role in distributing malware. The allegations say that Pingan supplied hackers with malware that enabled them to gain access to many US-based computer networks. The Sakula Trojan was also included in this group. On August 21st, at Los Angeles International Airport, he was taken into custody by LAPD officers. Two unidentified hackers were said to have collaborated with Pingan on a harmful attack against U.S. firm networks between April 2011 and January 2014 (Fruhlinger, 2020).

One of the tools used in the OPM attack was also used in an Anthem data compromise in 2015. Pingan pled guilty to his role in the plot. Sakula was used to help him breach OPM, he acknowledged. However, even though he was not explicitly tied to the OPM attack, the same malware he used in Anthem led authorities to suspect him of involvement in that incident.

The deep panda group

Hacker group Deep Panda is supported by the Chinese government. They were thought to have been involved in the OPM issue. “Patterns uncovered in the Internet's address book, known as the domain registration system, connect Deep Panda to the Anthem and Premera breaches” (Finnemore, & Hollis, 2016). Deep Panda often registers similar-looking domains on the web that closely resemble the ones they want to use as a redirect. Wellpoint may be found at we11point.com. Anthem used to be known by this name.

Because of the OPM breach, iSIGHT discovered a trend of similar-sounding names being used to create these bogus domains. According to domain registration data, several similar OPM websites were also found. Despite the evidence discovered, they still had some doubts and other reasons to believe that they weren't responsible.

X1 & X2

The Congressional OPM data breach report named two groups: X1 and X2. They merely called themselves these organizations since they didn't want to say who was responsible or even know who they were. Exfiltrating manuals and the IT system architecture were the only things the X1 gang could not get its hands on. The attackers' attempts to infiltrate the networks of multiple contractors (such as USIS and KeyPoint) doing background checks on federal personnel with access to OPM computers were well-documented by December of that year.

OPM intended to perform a system reset in March 2014 to eliminate any intruders from the system. As an alternative, an entirely different group, X2, could gain access to the system by exploiting the credentials of a different resource.

However, this vulnerability went undetected, and as a result, when the whole system was purged, it was not deleted. X1 and X2 have not been identified as belonging to the same organization or even a single individual. They may still work together even if they aren't the same person. THIS BELIEF WAS FORMED because X1 had obtained information that may have been advantageous to X2's goals. Deep Panda (as previously discussed) was also unclear as to whether he was one of them.

Psychological profiles

Understanding why certain crimes are committed, establishing profiles of prospective suspects, and connecting crimes to individuals or groups will continue to be important to its success. Behavior analysis employs both inductive and deductive approaches. In deductive investigations, a suspect's characteristics may be hypothesized based on the investigation of certain components of the case. According to inductive reasoning, a suspect has the characteristics of an offender because of their generalization from empirical research.

Analyzing behavior patterns and comparing them is an important element of behavioral science. Criminals may not be aware that their actions are comparable to others'. According to the definition, "signature actions are generally indications of some desire or drive the suspect seeks to appease" (Rogers, 2016).

When Deep Panda does criminal conduct, they follow the same procedure. As a result, they were suspected of involvement based on their profile. Although X2's domain names (Steve Rogers', Tony Stark's, etc.) looked to have some wit, it was hard to tell. These names may represent a certain style. Using these names to showcase their work and/or to guarantee that what they produced is remembered by others, they may have done so.

Behavioral analyses may also be used to determine whether a criminal or a group of criminals are responsible for various crimes. An investigator would be looking for a comparable modus operandi (MO) or conduct in these scenarios. MOs have learned behaviors that might alter as a person grows older or improves their abilities.

Because of this, other people may have been led to assume that they are the same person. If OPM was about to do a complete system reset, X1 may have learned of this and could not access the system. The individual or group would then have to develop a new strategy to preserve their position in the system after they realize this may happen.

They may have had to alter their entry strategy to accomplish this. There is a chance that X2 may have been spotted earlier if they had used the same technique. X1 was able to install keyloggers after gaining in using legitimate employees' credentials. There is a possibility that X1 and X2 are the same individuals because X2 had also utilized personnel credentials (Soesanto, 2019). The only way to remain in was to modify at least a portion of their MO. This backdoor and a means of maintaining their access were created with the aid of malware.

Conclusion

The OPM hack was a complex case, as evidenced by the preceding paragraphs. Psychological profiles are a tool for analyzing people's thoughts and feelings. However, they can only help if there is actual evidence to back up their claims. Two people can come to different conclusions based on how they profile. Rather than a fact, an individual's profile is more of a hypothesis in need of verification. It's only a personal viewpoint if that's the case.

It is also possible that those who profile may not consider all of the relevant factors. For example, a profiler unfamiliar with technology may be unable to make certain connections that a profiler knowledgeable about technology can. To facilitate these connections, it may be helpful to have two people working together. Then, it may be easier to reach a conclusion and gather the relevant evidence.

References

The OPM hack explained: Bad security practices meet China's Captain America | CSO Online

Finnemore, M., & Hollis, D. B. (2016). Constructing norms for global cybersecurity. American Journal of International Law, 110(3), 425-479. retrieved from: Constructing Norms for Global Cybersecurity | American Journal of International Law | Cambridge Core

Fruhlinger, J. (2020). The OPM Hack Explained: Bad Security Practices Meet China’s Captain America| CSO Online. Chief Security Officer (CSO) by International Data Group (IDG), February, 12, 2020.retrieved from: CSO | Security news, features and analysis about prevention, protection and business innovation. (csoonline.com)

Hinck, G., & Maurer, T. (2019). Persistent enforcement: criminal charges as a response to nation-state malicious cyber activity. J. Nat'l Sec. L. & Pol'y, 10, 525. retrieved from: Persistent Enforcement: Criminal Charges as a Response to Nation-State Malicious Cyber Activity 10 Journal of National Security Law and Policy 2019-2020 (heinonline.org)

Rogers, M. K. (2016). Psychological profiling as an investigative tool for digital forensics. In Digital Forensics (pp. 45-58). Syngress. retrieved from: Psychological profiling as an investigative tool for digital forensics - ScienceDirect

Soesanto, S. (2019). The Evolution of US Defense Strategy in Cyberspace (1988–2019). ETH Zurich. retrieved from: The Evolution of US Defense Strategy in Cyberspace (1988 – 2019) - Research Collection (ethz.ch)