This week is the 1-year anniversary of when the government revealed in June 2015 that the Chinese had attacked the U.S. Office of Personnel Management (OPM). Attackers stole over 20 million records of government employees, contractors, and others. This included 5.6 million fingerprint records and millions of highly sensitive background checks. All of this data could be used to support the nefarious activities of other nation states. After visiting my old home of Washington, DC, I thought I’d put together a few thoughts on how this attack might have been prevented, or at least quickly identified and stopped, minimizing exposure and damages.
First, the bad guys used digital certificates to make malicious websites appear trusted. Digital certificates are used to enable secure Internet connections using HTTPS. Sites with HTTPS display a secure padlock icon in the address bar. When HTTPs is used on malicious sites, it creates a false sense of security.
The bad guys established fake sites pretending to be OPM-related services. Fake sites like opmsecurity.org operated undetected for at least 5 months.
In addition, the bad guys used digital certificates to sign malware. Digital certificates are used to verify the source and integrity of software. Using stolen certificates allowed the malware to appear legitimate and evade detection by traditional security controls. The bad guys used legitimate certificates stolen from Korean companies. (These same certificates and malware were also used in the Anthem breach.)
Using certificates allowed the bad guys to hide behind the HTTPS protocol. With the browser padlock displayed in the address bar, the fake sites appeared to be secure. Users are trained to identify the padlock with safety and security.
Unfortunately, the OPM security team did not detect the weaponized certificates (the certificates misused in the attack) as an early warning sign of the attack. If they had, the resulting breach of millions of sensitive personnel records by Chinese agents could have been prevented.
In the US federal government, these problems are only going to escalate (although these trends apply to all organizations):
This anniversary reminds us of the importance of key and certificate security. Given the proper security, attacks against the OPM could have been prevented or at least stopped much earlier. Currently, Venafi is the only solution that provides the required visibility into certificates being weaponized in attacks, whether on a customer’s network or across the Internet. All of this is why organizations must make full use of Venafi to protect all of their keys and certificates.
Venafi helps prevent these attacks:
The malicious use of certificates was first well documented in the Mandiant APT1 report. It shows how certificates have been misused to hide malicious activities within encrypted traffic and trick users into believing sites are real or not a threat.
The APT1 Appendix in this report lists dozens of certificates, purporting to be from IBM, AOL, and others, that went undetected but were clearly malicious and anomalous. And a growing number of bad guys are obtaining completely valid and trusted certificates from the likes of Let’s Encrypt, which provides encryption certificates for free.
Government agencies need to stop these breaches by strengthening key and certificate security. They need to know where their keys and certificates live, who owns them, and which ones are trusted (and which ones aren’t).
The good news is Venafi can help. We already protect the keys and certificates of over 260 of the Global 5000. Even as government agencies work to scope and secure budget for major security updates, Venafi can help them protect the foundation of their cybersecurity—keys and certificates.