Part II: The Hack Itself

In June 2015, The OPM publicly reported that it had fallen victim to a data breach that affecting only 4 million people initially. Information was slowly released minimizing the shock value of the actual impact of what truly transpired including what data was initially taken in terms of types of data stolen. It was claimed that there was actually 2 attacks, the **first occurrence they don’t even understand what happened and one by way of social engineering of a malicious attacker claiming to be a KeyPoint Government Solutions contractor employee to gain admin login credentials. Surely the employees would be trained about the dangers of social engineering, in some companies this is done yearly, but it does not seem like the case for the OPM.

https://www.wsj.com/articles/u-s-suspects-hackers-in-china-behind-government-data-breach-sources-say-1433451888 https://archive.li/Fep3g

Luckily, a third party affiliated with the Department of Homeland Security (DHS) notified them of the first OPM breach known as the X1 incident. Interestingly, the second attack dubbed as the X2 incident had a bit of controversy on what party really actually found the attack. Firstly, New York Times had reported that the infiltration was discovered using United States Computer Emergency Readiness Team (US-CERT)'s Einstein intrusion-detection program. Secondly, The Wall Street Journal reported that it may have been a product demonstration of CyFIR, a commercial forensic product from a Manassas, Virginia security company CyTech Services that uncovered the infiltration or thirdly, OPM spokesman Sam Schumach stated that it was detected by OPM personnel using a Cylance software solution. However, House of Representatives' Majority Staff Report on the OPM breach conclusively agreed that both tools independently "discovered" the malicious code running on the OPM network (See page 91 and 125 of the 2015-06-16-FC-OPM-Data-Breach.GO167000.pdf).

https://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html https://archive.li/JniS4

https://www.wsj.com/articles/u-s-spy-agencies-join-probe-of-personnel-records-theft-1433936969 https://web.archive.org/web/20180726063140/https://www.wsj.com/articles/u-s-spy-agencies-join-probe-of-personnel-records-theft-1433936969

https://arstechnica.com/information-technology/2015/06/report-hack-of-government-employee-records-discovered-by-product-demo/ https://archive.li/J3HC5

http://fortune.com/2015/06/12/cytech-product-demo-opm-breach/ https://archive.li/9gdCz

https://oversight.house.gov/wp-content/uploads/2015/06/2015-06-16-FC-OPM-Data-Breach.GO167000.pdf (document was photocopied, unable to search by keyword)

https://web.archive.org/web/20180726064505/https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf

And here is when things get weird; In November 2014, FBI affiliated CrowdStrike reported (the third party who investigated the DNC server on the behalf of the FBI) that it discovered the malware the same time the reported hack had begun in July of 2014. What a coincidence!

https://www.csoonline.com/article/2942601/disaster-recovery/fbi-alert-discloses-malware-tied-to-the-opm-and-anthem-attacks.html

This link is for IT professionals as it is more technical in nature: https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/ https://archive.li/LxdXU

I am not going to delve into CrowdStrike because it is outside of the scope of this research, but I will leave a link below on the connections within this group courtesy of u/Intlrnt, but it ultimately links back to Uranium One, another coincidence surely.

https://old.reddit.com/r/greatawakening/comments/91rvsw/excellent_concise_insightful_summary_of_dnc/ https://archive.li/X296e

Next: Part III - Forthcoming OPM Breach IG Report