Source: Wired.com | Brendan I. Koerner | October 23, 2016
The US Office of Personnel Management doesn’t radiate much glamour. As the human resources department for the federal government, the agency oversees the legal minutiae of how federal employees are hired and promoted and manages benefits and pensions for millions of current and retired civil servants. The core of its own workforce, numbering well over 5,000, is headquartered in a hulking Washington, DC, building, the interior of which has all the charm of an East German hospital circa 1963. It’s the sort of place where paper forms still get filled out in triplicate.
The routine nature of OPM’s business made the revelations of April 15, 2015, as perplexing as they were disturbing. On that morning, a security engineer named Brendan Saulsbury set out to decrypt a portion of the Secure Sockets Layer (SSL) traffic that flows across the agency’s digital network. Hackers have become adept at using SSL encryption to cloak their exploits, much as online vendors use it to shield credit card numbers in transit. Since the previous December, OPM’s cybersecurity staff had been peeling back SSL’s camouflage to get a clearer view of the data sloshing in and out of the agency’s systems.
Soon after his shift started, Saulsbury noticed that his decryption efforts had exposed an odd bit of outbound traffic: a beacon-like signal pinging to a site called opmsecurity.org. But the agency owned no such domain. The OPM-related name suggested it had been created to deceive. When Saulsbury and his colleagues used a security program called Cylance V to dig a little deeper, they located the signal’s source: a file called mcutil.dll, a standard component of software sold by security giant McAfee. But that didn’t make sense; OPM doesn’t use McAfee products. Saulsbury and the other engineers soon realized that mcutil.dll was hiding a piece of malware designed to give a hacker access to the agency’s servers.
The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses. In March 2014, for example, OPM had detected a breach in which blueprints for its network’s architecture were siphoned away. But in this case, the engineers noticed two unusually frightening details. First, opmsecurity.org had been registered on April 25, 2014, which meant the malware had probably been on OPM’s network for almost a year. Even worse, the domain’s owner was listed as “Steve Rogers”—the scrawny patriot who, according to Marvel Comics lore, used a vial of Super-Soldier Serum to transform himself into Captain America, a member of the Avengers.
Registering sites in Avengers-themed names is a trademark of a shadowy hacker group believed to have orchestrated some of the most devastating attacks in recent memory. Among them was the infiltration of health insurer Anthem, which resulted in the theft of personal data belonging to nearly 80 million Americans. And though diplomatic sensitivities make US officials reluctant to point fingers, a wealth of evidence ranging from IP addresses to telltale email accounts indicates that these hackers are tied to China, whose military allegedly has a 100,000-strong cyberespionage division. (In 2014 a federal grand jury in Pennsylvania indicted five people from one of that division’s crews, known as Unit 61398, for stealing trade secrets from companies such as Westinghouse and US Steel; all the defendants remain at large.)
Once Captain America’s name popped up, there could be little doubt that the Office of Personnel Management had been hit by an advanced persistent threat (APT)—security-speak for a well-financed, often state-sponsored team of hackers. APTs like China’s Unit 61398 have no interest in run-of-the-mill criminal activities such as selling pilfered Social Security numbers on the black market; they exist solely to accumulate sensitive data that will advance their bosses’ political, economic, and military objectives. “Everyone can always say, ‘Oh, yeah, the Pentagon is always going to be a target, the NSA is always going to be a target,’” says Michael Daniel, the cybersecurity coordinator at the White House, who was apprised of the crisis early on. “But now you had the Office of Personnel Management as a target?”
To figure out why the hackers had trained their sights on OPM, investigators would have to determine what, if anything, had been stolen from the agency’s network over the preceding year. But first they had to hunt down and eliminate the malware on its network, an archaic monstrosity that consisted of as many as 15,000 individual machines.
CURTIS MEJEUR WAS a victim of dreadful timing. A wry and diminutive former marine who had served in Fallujah, where he mapped insurgent strongholds as part of an intelligence unit dubbed the Hobbits, Mejeur started work as one of OPM’s senior IT strategists on April 1, 2015. He was still getting acclimated to his new job when, on the morning of April 16, he was handed the most daunting assignment of his career: Lead the effort to snuff out the attack on the agency’s network.
Based on the little he’d already heard about the malware’s power and lineage, Mejeur was certain his investigation would uncover plenty of nasty surprises. But he wouldn’t have to deal with them alone; early that morning, a team of engineers from the US Computer Emergency Readiness Team, the Department of Homeland Security unit that handles digital calamities, marched into OPM’s headquarters. The engineers set up a command post in a windowless storage room in the subbasement, just down the hall from where Saulsbury had discovered the hack less than 24 hours earlier.
Since they couldn’t trust OPM’s compromised network, the visitors improvised their own by lugging in workstations and servers that they could seal behind a customized firewall. Soon enough, the subbasement was filled with the incessant clatter of keyboards, occasionally punctuated by the hiss of a Red Bull being popped open. The dozen-plus engineers rarely uttered more than a few words to one another, which is how they prefer to operate.