The FBI, he said, continues to probe the incident. So far, no additional details have emerged from their efforts. Beyond assertions that the attack was launched via a remote access trojan (RAT), Paul Shomo, senior software development manager, Guidance Software, which was called in to do a forensic investigation, says it is unclear so far how the attack was launched.
Saying that he didn't “know that OPM is unique” and that “the bad guys, especially state financed actors, have outpaced detection methods,” Shomo said it was possible that signs of the attack were “lost in a mountain of security events.”
Organizations, he explained, “often get as much as a million events a day, many of which are false positives.”
In fact, the Department of Homeland Security (DHS), apparently concerned about attacks, had issued a May Binding Operations Directive (BOD), the first of its kind, telling agencies to patch critical vulnerabilities in their networks, according to a report by Federal News Radio. A bill passed by Congress last year gave the department that authority.
Investigators do not yet know the motives behind the attack, which James Carder, CISO of LogRhythm and vice president of LogRhythm Labs, told SCMagazine.com in an emailed statement.
“[This] could be literally anything from identity theft and fraud to full extortion and individual targeting," Carder wrote.
The information “could be used for general financial gain or to obtain US intelligence and intellectual property,” he said, noting the most “interesting information” is OPM's security clearance data. “Pieces of the data could even be split off and sold to other nations or criminal groups.”
One thing is for certain, Carder explained, “OPM was targeted for the rich, single, source of federal employee identities.”
If attackers targeted a single agency, “then you get that entities information, but if you target OPM, you get the information for all the federal entities,” Carder said.