CybersecurityBreach of background-checks database may lead to blackmail

Published 30 April 2015

Newly released documents show how hackers infiltrated servers used by US Investigations Services(USIS), a federal contractor which conducts background checks for DHS. In a House Oversight and Government Reform Committeehearing last week, Representative Elijah Cummings (D-Maryland) said more than 27,000 personnel seeking security clearances likely were affected by the USIS breach. Similar hacks also affected servers at the Office of Personnel Management(OPM), which holds information on security clearance investigations. Once hackers have a list of employees who possess government security clearances, they can exploit other aspects of those employees’ lives for malicious gain.

Newly released documents show how hackers infiltrated servers used by US Investigations Services (USIS), a federal contractor which conducts background checks for DHS. In a House Oversight and Government Reform Committee hearing last week, Representative Elijah Cummings (D-Maryland) said more than 27,000 personnel seeking security clearances likely were affected by the USIS breach. Similar hacks also affected servers at the Office of Personnel Management (OPM), which holds information on security clearance investigations.

Both USIS and OPM were hacked around March 2014, and while the security controls in place at OPM’s networks shielded employee information, the networks at USIS were not as secured.

At USIS, hackers deployed spyware designed to capture screenshots when a background check window was open, according to Stroz Friedberg, a digital forensics firm. “The attacker installed screen-scrapping malware on systems and specifically configured that malware to grab screenshots only when background investigations-related applications were being displayed on the screen,” Stroz Friedberg Managing Director Bret Padres wrote in a September 2014 letter to USIS’s attorneys.

The use of spyware that executed only under specific conditions implies that hackers did not want to raise alarms, said Richard Barger, chief intelligence officer at ThreatConnect and a former Army intelligence analyst. “Many of those background check systems are very highly audited.”

—————————————————————————————————————-

See also:

—————————————————————————————————————-

According to NextGov, hackers infiltrated a network belonging to one of USIS’s suppliers, which stored enterprise resource planning software. That network was connected to USIS’s network. “The attacker was able to navigate from the third-party-managed environment into the USIS network in late (redacted) by successfully brute-forcing a password on an application server,” wrote Padres, referring to a hacking technique that systematically checks all possible passwords. “Once the attacker was able to log in to that server, the attacker installed a malicious backdoor.”

Once hackers have a list of employees who possess government security clearances, they can exploit other aspects of those employees’ lives for malicious gain. Last fall, a database belonging to Anthem was breached, but the company has said it found no indication that diagnosis or treatment information was compromised. Knowledge of an individual’s security clearance level and medical information can be used by foreign nations to recruit human assets.

“If I know you have a clearance from the USIS breach and I know that maybe your husband or wife has cancer from the Anthem breach, maybe I can approach you and say: ‘You work at Langley. You’ve got access to sensitive information. Maybe if I give you $50,000 a year just to tell me a little bit about what you do, maybe I can eventually convince you to betray your country,’” Barger said.

Ron Gula, chief executive officer of Tenable Network Security and a former National Security Agency researcher, believes the hackers in the USIS breach had major financial backing, but he stops short of attributing the breach to a nation-state. “Somebody on the other side of this attack had to come into work every day and check on these systems — and make a decision on when are we going to start being more proactive. That requires people. That requires planning. That requires resources,” said Gula.

Although details of the USIS hack suggest a nation-state involvement, other well-funded, private entities could have had a reason to want the biographies of individuals with security clearances. “Folks who do classified, cleared work, they are all hurting for people,” Gula said. “Every one of them is trying to get the next cleared cyber genius. They are all competing, and it is very cutthroat.”