Why hackers target background investigation databases

Foreign hackers are targeting background investigation databases to blackmail US government personnel or to try to bribe them.

It is not a mystery that Chinese hackers continuously target US companies and government offices, the attackers usually backed by the Government of Bejing mainly run cyber espionage campaigns to steal intellectual property and any kind of information related to person of interest belonging to “persons of interest.”

Security experts confirmed that Chinese hackers are targeting background check files to gather information on the US people.

The recent cyber attacks at the Office of Personnel Management (OPM), the USIS and KeyPoint Government Solutions, are the demonstration of the great interest of foreign hackers in the information on specific individuals.

The attackers use to target background investigation databases to gather detailed information about specific profiles or communities of interest.

“Newly revealed information about how hackers broke into a company conducting millions of background investigations on national security employees shows the lengths to which attackers are willing to go to steal U.S. secrets. ” reported the Nextgov

The attack scheme is easy as efficient, the attack in the majority of cases begins with a spear phishing attack that is the vector for malicious code used to infect the victims’ machines ad grab the video whenever background investigation software was being used.
There are various tactics adopted by Chinese hackers, the attackers always search for the weakest link in the security chain, in many cases this link is represented by the victims’ suppliers. Hackers use to target subcontractors to hit enterprises due the poor level of security they offer. The situation is particularly serious in the energy sector.

“The attacker was able to navigate from the third-party-managed environment into the USIS network in late [redacted] by successfully brute-forcing a password on an application server,” Stroz Friedberg Managing Director Bret Padres wrote in the letter, obtained by Nextgov.

“Once the attacker was able to log in to that server, the attacker installed a malicious backdoor” to provide easy access, Padres wrote.

The attacks against companies like the USIS are not a surprise, these companies create detailed dossiers on government officials that could be used by the threat actors to conduct further attacks against the targeted organization.

Let me add that China isn’t the unique country that target US organization searching for background investigation databases, Russian hackers also represent a serious threat to the US.

To better understand why attackers target background investigation databases, let’s think to the information that a state-sponsored hacker can gather linking data from a government personnel databases and health care databases like the one compromised in the Anthem hack.  Intruders can easily obtain precious data related to the family lives of federal employees who might be susceptible to bribery or blackmail. This information could allow an attacker establish a contact with the victims and obtain an easy access to classified information by exploiting the human weakness.

“The breach of an Anthem health care database last fall affected federal employee subscribers as well as BCBS federal members who aren’t covered by Anthem but received BCBS services in a state where Anthem operates. But “if I know you have a clearance from the USIS breach and I know that maybe your husband or wife has cancer from the Anthem breach, maybe I can approach you and say: ‘You work at Langley. You’ve got access to sensitive information. Maybe if I give you $50,000 a year just to tell me a little bit about what you do, maybe I can eventually convince you to betray your country,'” Barger said, as an example of how medical data could be used to recruit human assets.”

The protection of background Investigation database is becoming a question of Homeland security, a cyber security strategy must properly address it, even when these archives are managed by private companies.

Pierluigi Paganini

(Security Affairs – background Investigation database, state-sponsored hackers)