The Chinese hackers who are believed to have broken into the US government’s human resources office may be trying to map the government, recruit spies and access networks in other departments, experts warned.
The FBI said late last week that it was investigating the breach at the Office of Personnel Management that could have affected up to 4m current and former federal employees.
People familiar with the matter said hackers in China were suspected of being responsible for the attack on the agency which has files on employees working across federal government.
China has strongly denied it is responsible for the attacks, accusing the US of making “groundless accusations” and being “irresponsible”.
Even if the hack was not sponsored by the Chinese government, Chinese hackers could be responsible. The line between nation state attackers and individuals is blurred, as some of those employed to hack by the government in working hours use the same tools to hack themselves out of hours.
While many cyber criminals who try to steal personal data intend to sell the information to fraudsters on underground markets, cyber security experts say the government employee database hack appeared to be a very different kind of attack.
Jim Lewis, a director at the Center for Strategic and International Studies in Washington, said he believed the Chinese government was compiling a database of US government employees.
He linked the incident — revealed only last week but discovered in April — to a previous cyber attack on the same organisation, as well as to earlier attacks on Anthem, a provider of health insurance for government employees, and on two background checking contractors.
“I think . . . the Chinese are building a big biographic database of US government employees, using the same kind of data mining tools that retailers and credit card companies use,” he said.
Most large intelligence agencies try to create databases on their opposition to “understand how your opponent is going to play the game”, Mr Lewis added, noting that such a treasure trove could help in recruiting informants.
Marc Goodman, a cyber security expert who has worked with the UN, Nato and the US government, said the information would be useful to China from a “geopolitical, strategic, national security perspective”.
He said the hackers could use the database to find staff with high security clearance and access sensitive information that could be used to manipulate them.
“If you see, for example, that a workers’ wife has breast cancer and medical bills of $200,000, it makes them a much more interesting target if you want to recruit them to spy on behalf of China,” he said.
The information could also be used to guess passwords and gain entry to networks in departments across government, with data about system administrators — who can roam across networks — being a particular target.
The OPM has been a frequent target, he said, because it had tracked every employee and yet probably had a poorer understanding of the counter-intelligence threat than a department such as defence, the FBI or the intelligence agencies.
“It’s a common weakness in the system. The OPM is the central repository for information on a US ambassador or a three-star general or a single kid in Nevada flying a drone for the army,” he said.
The OPM said it had made “an aggressive effort” to update its cyber security in the last year but the intrusion predated the adoption of these tougher controls. It added that it had introduced even more protections since the attacks.
But Ryan Wager, global threat strategist at vArmour, a US cyber security company, said the hackers could have remained inside the network since the previous attack.
“Most campaigns are actually correlated even if they seem like multiple autonomous attacks,” he said. “If you were breached months or years ago and there is no visibility inside the network there is no way to make sure they didn’t compromise it. Typically they don’t know how far it spread.”