The National Archives and Records Administration recently detected unauthorized activity on three desktops indicative of the same hack that extracted sensitive details on millions of current and former federal employees, government officials said Monday. The revelation suggests the breadth of one of the most damaging cyber assaults known is wider than officials have disclosed.
The National Archives’ own intrusion-prevention technology successfully spotted the so-called indicators of compromise during a scan this spring, said a source involved in the investigation, who was not authorized to speak publicly about the incident. The discovery was made soon after the Department of Homeland Security’s U.S. Computer Emergency Readiness Team published signs of the wider attack — which targeted the Office of Personnel Management — to look for at agencies, according to NARA.
It is unclear when NARA computers were breached. Suspected Chinese-sponsored cyberspies reportedly had been inside OPM’s networks for a year before the agency discovered what happened in April. Subsequently, the government uncovered a related attack against OPM that mined biographical information on individuals who have filed background investigation forms to access classified secrets.
The National Archives has found no evidence intruders obtained “administrative access,” or took control, of systems, but files were found in places they did not belong, the investigator said.
Diachenko said, “Continued analysis with our monitoring and forensic tools has not detected any activity associated with a hack,” including alerts from the latest version of a governmentwide [sic] network-monitoring tool called EINSTEIN 3A.
EINSTEIN, like NARA’s own intrusion-prevention tool, is now configured to detect the tell-tale signs of the OPM attack.
“OPM isn’t the only agency getting probed by this group,” said John Prisco, president of security provider Triumphant, the company that developed the National Archives’ tool. “It could be happening in lots of other agencies.”
The malicious operation tries to open up ports to the Internet, so it can excise information, Prisco said.
“It’s doing exploration work laterally throughout the network and then it’s looking for a way to communicate what it finds back to its server,” he added.
Full article: EXCLUSIVE: Signs of OPM Hack Turn Up at Another Federal Agency (Nextgov)