Data Breach at the Office of Personnel Management: China, Again… Really?

The media has picked up on the Washington Post story that the Chinese government is behind the intrusion at the Office of Personnel Management (OPM). While I’m not usually in the position of defending the Chinese, I’m skeptical that China is behind this incident. Here’s why:

1. The information has little intelligence value. Why the Chinese government would care about the social security numbers of every clerk in the Commerce Department is beyond me. The theory that it can be used in spear phishing campaigns doesn’t make much sense. LinkedIn and Facebook have much more detailed information. So does the Plum Book and publicly available databases on federal employee salaries. Many close watchers of Chinese cyber activities have observed that Chinese actors have been less brazen since the Mandiant report and the PLA indictments. The fallout from getting caught isn’t worth the intelligence gain.

2. The intruder burned a zero-day. If reports are true that the intruders used a zero-day, it would indicate that they really wanted the information—they were willing to give up opportunities to use the vulnerability to go after other targets. It would mean that, in this case, the intruder did not target OPM simply because they could, but because they really valued the information OPM had.

3. The information is more valuable to criminals. It doesn’t make sense that the Chinese government would value the stolen information to this degree. Criminals are the more likely culprits. This is the same kind of information that was stolen in the Anthem and Carefirst breaches—it’s information that you need to file fraudulent insurance claims or commit tax fraud. Senator Collins is the only official who may have had access to actual intelligence that has gone on the record. She has said the hackers are believed to be “based” in China, a far cry from direct attribution to the Chinese government.

4. I don’t trust the sources. The sources that told the press the attack had been linked to China probably committed a crime. The information would have been part of an ongoing criminal investigation and would likely be the result of classified intelligence activity. Few people would have access to that information and the leakers would be putting their careers at risk. While there are certainly times when the federal government purposefully shares attribution information like this, I doubt this leak was a policy decision.

Of course, claiming to know something you don’t in fact know and sharing that with a reporter isn’t a crime. It’s usually pretty easy for a reporter to find someone willing to give a quote to make a story. That’s what happened a year ago when news outlets reported that the NSA had been exploiting the Heartbleed vulnerability for two years, leading the NSA to tweet out a firm denial. In this case, I doubt anyone in the federal government is going to rush to defend the Chinese government, which is no doubt guilty of a thousand other crimes in cyberspace.