Skip to main content
banner image
venafi logo

One Year After Office of Personnel Management (OPM) Breach, Federal Agencies Still Vulnerable

One Year After Office of Personnel Management (OPM) Breach, Federal Agencies Still Vulnerable

One Year After Office of Personnel Management (OPM) Breach, Federal Agencies Still Vulnerable
June 9, 2016 | Kevin Bocek
Key Takeaways
  • It’s now 1 year since the U.S. government first revealed the Office of Personnel Management (OPM) breach in June 2015
  • The OPM breach resulted in the theft of over 20 million records
  • The attack used digital certificates to make fake sites appear secure with the HTTPS padlock and make malware look as if it was code from a legitimate source
  • The misuse of certificates in attacks continues to go undetected by most organizations, creating security blind spots
  • Venafi enables organizations to identify certificate misuse and prevent these types of breaches

This week is the 1-year anniversary of when the government revealed in June 2015 that the Chinese had attacked the U.S. Office of Personnel Management (OPM). Attackers stole over 20 million records of government employees, contractors, and others. This included 5.6 million fingerprint records and millions of highly sensitive background checks. All of this data could be used to support the nefarious activities of other nation states. After visiting my old home of Washington, DC, I thought I’d put together a few thoughts on how this attack might have been prevented, or at least quickly identified and stopped, minimizing exposure and damages.

MORE Protect the Foundation of Federal Security with Venafi

How the OPM was attacked

First, the bad guys used digital certificates to make malicious websites appear trusted. Digital certificates are used to enable secure Internet connections using HTTPS. Sites with HTTPS display a secure padlock icon in the address bar. When HTTPs is used on malicious sites, it creates a false sense of security.

The bad guys established fake sites pretending to be OPM-related services. Fake sites like operated undetected for at least 5 months.

In addition, the bad guys used digital certificates to sign malware. Digital certificates are used to verify the source and integrity of software. Using stolen certificates allowed the malware to appear legitimate and evade detection by traditional security controls. The bad guys used legitimate certificates stolen from Korean companies. (These same certificates and malware were also used in the Anthem breach.)

Why the attack worked

Using certificates allowed the bad guys to hide behind the HTTPS protocol. With the browser padlock displayed in the address bar, the fake sites appeared to be secure. Users are trained to identify the padlock with safety and security.

Unfortunately, the OPM security team did not detect the weaponized certificates (the certificates misused in the attack) as an early warning sign of the attack. If they had, the resulting breach of millions of sensitive personnel records by Chinese agents could have been prevented.

Left alone, the problem will only get worse

In the US federal government, these problems are only going to escalate (although these trends apply to all organizations):

  • Using malicious certificates in attacks will be the default.
    There is a new U.S. federal agency mandate for 100% encryption on public-facing websites. This will force bad guys to use certificates to fit with the norm. Knowing the reputation of a certificate—whether it should be trusted or is likely being misused as part of an attack—will become much more important in any environment that is 100% HTTPS.
  • Encryption certificates will be used to bypass security controls, creating security blind spots.
    As encrypted traffic grows, almost all inbound attacks will be hidden within encrypted channels. Organizations will need to be able to inspect all encrypted traffic to determine if it should be trusted.

    Security systems, like IPS/IDS, Next Gen Firewalls, Sandboxes, and/or dedicated SSL Visibility appliances, need to have ready access to all current and active encryption keys. This access is required to decrypt and inspect encrypted traffic in real time.

    Without this visibility into malicious activity hidden within encrypted traffic, organizations will be increasingly blind and vulnerable to attacks. This is why integrating key and certificate security with Blue Coat, Palo Alto Networks, and other security controls is so important.

Preventing this type of attack

This anniversary reminds us of the importance of key and certificate security. Given the proper security, attacks against the OPM could have been prevented or at least stopped much earlier.  Currently, Venafi is the only solution that provides the required visibility into certificates being weaponized in attacks, whether on a customer’s network or across the Internet. All of this is why organizations must make full use of Venafi to protect all of their keys and certificates.

How Venafi helps

Venafi helps prevent these attacks:

  • Detects the misuse of certificates across the Internet.
    With continuous monitoring, security teams can identify certificates that are likely being used in attacks much earlier. They can then use this information to minimize the impact of the attacks by rapidly putting a stop to or preventing a breach.
  • Identifies a baseline and uses it to detect the misuse of certificates on internal networks.
    With Venafi TLS Protect, organizations can establish a baseline of what should be trusted. They do this by discovering and validating their keys and certificates. Organizations can then quickly identify anomalous certificate usage, whether on their network or across the Internet.

It’s not a new problem

The malicious use of certificates was first well documented in the Mandiant APT1 report. It shows how certificates have been misused to hide malicious activities within encrypted traffic and trick users into believing sites are real or not a threat.

The APT1 Appendix in this report lists dozens of certificates, purporting to be from IBM, AOL, and others, that went undetected but were clearly malicious and anomalous. And a growing number of bad guys are obtaining completely valid and trusted certificates from the likes of Let’s Encrypt, which provides encryption certificates for free.

Government agencies need to stop these breaches by strengthening key and certificate security. They need to know where their keys and certificates live, who owns them, and which ones are trusted (and which ones aren’t).

The good news is Venafi can help. We already protect the keys and certificates of over 260 of the Global 5000. Even as government agencies work to scope and secure budget for major security updates, Venafi can help them manage machine identities to protect the foundation of their cybersecurity.

Like this blog? We think you will love this.
Featured Blog

Surge in Machine and Human Identities Drive Security Policies at Organizations [Report]

‘Explosion’ of machine identities

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Kevin Bocek
Kevin Bocek

Kevin is Vice President of Security Strategy & Threat Intelligence at Venafi. He is recognized as a subject matter expert in threat detection, encryption, digital signatures, and key management, and has previously held positions at CipherCloud, PGP Corporation and Thales.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more