Résumé
In 2015 the US Office of Personnel Management disclosed one of the most damaging government breaches in history. Attackers widely attributed to China stole background-investigation records on about 21.5 million people: the SF-86 security-clearance forms that catalogue relatives, finances, foreign contacts, mental-health history, and other intimate detail, along with 5.6 million sets of fingerprints. A separate intrusion took personnel records on 4.2 million federal employees. Initial access came through a contractor's credentials, there was no multi-factor authentication on key systems, the data sat unencrypted, and the intruders dwelt undetected for about a year. OPM had been warned for years about exactly these gaps. It is not a story about money; it is a counterintelligence catastrophe, and a lesson in MFA, contractor access, encryption, and minimising the most sensitive data you hold.
How it happened
There were two linked intrusions. The first, uncovered in March 2014, stole personnel records on 4.2 million federal employees. The second, and far worse, began around May 2014 when attackers used valid credentials belonging to KeyPoint, a private contractor that performs background investigations (one of two such contractors hit, alongside USIS, which was breached separately). With that foothold they installed the PlugX and Sakula backdoors and began lateral movement through OPM's network, eventually reaching the crown jewels: the databases holding completed SF-86 security-clearance investigations.
Almost nothing stopped them. There was no MFA on the systems that mattered, so a stolen password was a full key. The most sensitive records were not encrypted at rest. The government's signature-based intrusion-detection system did not recognise the novel tooling, and the intruders sat undetected for roughly a year. The second breach was discovered only on 15 April 2015, almost by accident, when an OPM engineer decrypted outbound traffic and found it beaconing to a command-and-control domain (opmsecurity.org, registered under the comic-book aliases "Steve Rogers" and "Tony Stark"), and a security product OPM was then trialling lit up on the malware. Investigators tied the operation to a China-nexus group, a textbook APT: patient, state-resourced, and after secrets rather than cash.
The damage
The numbers are staggering but undersell it. The 21.5 million covers 19.7 million people who applied for clearances and 1.8 million others, mostly spouses and cohabitants named on the forms, everyone who had filed since 2000. These SF-86 records are the most personal dossier the US government keeps: every relative, every foreign contact, every past financial problem, drug use, and mental-health treatment, the exact material a foreign intelligence service uses to identify, pressure, and recruit. Add 5.6 million fingerprint sets (a figure OPM first put at 1.1 million before revising upward), which can never be reissued, and login credentials used to complete the forms. There was no fraud, because the goal was espionage: an adversary now holds a searchable map of essentially everyone with a US security clearance and their personal vulnerabilities. OPM's director resigned. It is the canonical breach you cannot undo, you cannot give people new fingerprints or a new history.
Why OPM still matters
OPM is the clearest example of a long-dwell APT intrusion and of how ordinary control failures, not exotic exploits, let it happen. Every lesson is mundane and was known in advance: require phishing-resistant MFA everywhere, especially for remote and contractor access, because a contractor's stolen password was the way in, and the galling part is that MFA here was not a missing technology at all (the government's own PIV smart-card standard was already mandated, and OPM had simply not enforced it on a single one of its major applications). Hold third parties to the same security bar as employees; encrypt sensitive data at rest so a stolen credential yields far less; invest in detection and long-dwell threat hunting rather than signature-matching alone; and minimise how much irreplaceable data you collect and how long you keep it. No one was ever charged with the intrusion itself; the only related US arrest was of Yu Pingan, a broker of the Sakula malware, in 2017, underscoring that this was state espionage with no prosecutable perpetrator. OPM had been told all of this in repeated inspector-general reports, and carried the gaps as accepted risk until they became a national-security disaster.
Comment le corriger
- Reset and MFA-enforce all credentials, prioritizing contractor and privileged accounts.
- Hunt for long-dwell persistence and lateral movement, and rebuild compromised identity infrastructure.
- Encrypt sensitive datastores and tighten access so stolen credentials yield far less.
- Act on outstanding audit findings instead of accepting known deficiencies.
Comment l’éviter
- Require phishing-resistant MFA everywhere, especially for remote and contractor access, and actually enforce the mandates you already have.
- Hold third parties to the same security bar as employees, with scoped, monitored, least-privilege access.
- Encrypt sensitive data at rest, and minimize how much you collect and how long you keep it.
- Invest in detection and long-dwell threat hunting; OPM's intruders stayed for many months.
- Close known audit gaps on a deadline rather than carrying them as accepted risk.
Références
- https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
- https://www.gao.gov/assets/gao-17-614.pdf
- https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/
- https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach
- https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/
Vulnérabilités liées
Tout OpSec →- CRITICALOPSEC-MARRIOTT-STARWOOD-2018
In November 2018 Marriott disclosed that the Starwood guest-reservation database had been breached. The headline number moved as the investigation went on, from an initial 500 million down to a refined estimate of around 339 million guest records, including 5.25 million unencrypted passport numbers. The most striking detail was the dwell time: attackers had been inside the Starwood system since July 2014 and went undetected for more than four years, straight through Marriott's 2016 acquisition of Starwood. Marriott inherited the compromised infrastructure without knowing intruders were already in it, and only an internal security tool flagging an unusual database query in September 2018 finally surfaced the breach, which US government sources attributed to Chinese state-linked actors. It led to a $52 million multi-state settlement and a 20-year FTC security order. It is the lesson in mergers-and-acquisitions cyber due diligence, dwell-time detection, and protecting and encrypting sensitive records.
- HIGHOPSEC-INTERNET-ARCHIVE-2024
The Internet Archive, the nonprofit behind the Wayback Machine, had a brutal October 2024: a data breach, a website defacement, and a wave of DDoS attacks, all at once. Underneath the chaos was an unglamorous root cause. An authentication token sat in plain text in a public config file; the team rotated it repeatedly, but each new token landed right back in the same exposed file, so the leak never actually closed. With it, an attacker downloaded the source code, found more credentials hardcoded inside, and walked out with a database of 31 million users. Weeks later a second token from that same stolen code, for the support system, exposed 800,000 support tickets, some with people's ID documents. It is the lesson that rotating a secret is useless if it goes straight back into a public file, and that one leak unravels everything.
- HIGHOPSEC-MERCEDES-BENZ-2024
Publicly disclosed January 30, 2024, a Mercedes-Benz employee accidentally committed a GitHub authentication token to a public repository, leaving it exposed from September 29, 2023. RedHunt Labs found the token during an internet-wide scan; it granted unrestricted, unmonitored access to Mercedes-Benz's internal GitHub Enterprise Server, allowing anyone to download private source-code repositories that could contain API keys, cloud access keys, database connection strings, blueprints, and SSO passwords. After notification, the token was revoked on January 24, 2024. Mercedes-Benz stated customer data was not affected but could not confirm whether anyone besides the researchers accessed the repositories during the exposure window.
- CRITICALOPSEC-MIDNIGHT-BLIZZARD-2024
In January 2024, Microsoft revealed that Russia's foreign-intelligence service, the same APT29 behind SolarWinds, had been reading the email of its senior leadership. The way in was almost insulting in its simplicity: a forgotten, non-production test account with a weak password and no MFA. The attackers guessed the password by spraying common ones across many accounts, then pivoted through a forgotten over-privileged application to grant themselves access to corporate mailboxes, including those of executives and the security and legal teams. It is the lesson that your security is only as strong as the account you forgot about, and that even Microsoft's perimeter fell to a missing MFA checkbox.
- HIGHOPSEC-OKTA-2023
Okta is an identity provider: the single front door thousands of companies use to log their employees into everything. So when Okta's customer-support system was breached in late 2023, the blast radius was a who's-who of security-conscious companies. The entry point was almost mundane. An employee had signed into their personal Google account on an Okta laptop and saved a corporate service-account password into it; the attacker got that password and walked into Okta's support system. There they downloaded diagnostic files that customers had uploaded, some of which contained live session tokens, and used those tokens to step directly into the customers' own Okta environments. It is the lesson that session tokens are as good as passwords, support systems are production systems, and a personal browser profile can be the crack in the wall.
- CRITICALOPSEC-23ANDME-2023
23andMe held the most personal data there is: people's DNA. In 2023 attackers got into more than 18,000 accounts and, through a single social feature, turned that into the genetic and ancestry data of roughly 6.9 million people. The break-in required no flaw in 23andMe at all. Attackers simply took username-and-password pairs leaked from other companies' breaches and tried them, betting, correctly, that people reuse passwords. The accounts had no MFA, and 23andMe did not notice the five-month wave of automated logins. From those footholds, the attackers scraped relatives' data through an opt-in feature, and the fallout, fines, a $50 million settlement, and ultimately bankruptcy and a fire-sale of the DNA database itself, shows that a breach can be fatal even when your own systems were never hacked.