US Office of Personnel Management (OPM) recently announced a massive data breach, containing very personal and private data of government and military personnel. The stolen data was originally gathered to process security clearances and contains a plethora of background information, including criminal records, mental conditions, drug usage, veteran status, birthdates, social security numbers, pay histories and pension figures, insurance data, financial records, home addresses, contacts, and other profile data. Millions of records in total were stolen, for current and previous government workers, contractors, and partners. Investigators concluded the attack was conducted by another nation state.
This leads to the question of why would another nation launch such an attack and how will they use such personal information to their advantage? The answers might be shocking.
Unlike cybercriminals, who would be interested in opening lines of credit, filing fictions tax refunds, creating false identities, siphoning financial assets, and fraudulently charging on accounts, nation states have different motivations which drive their actions. Nation states are interested in influencing policies in their favor across the globe, boosting national economic strength, military power projection, enhancing intelligence gathering capabilities, and protecting themselves from foreign attempts to do the same against them.
For centuries, one of the best ways to accomplish these goals has been by influencing, manipulating, or outright controlling important people in other countries. Employing tactics to achieve such lofty goals requires two things. First, key foreigners with the necessary power or access must be identified. Secondly, the means to best influence them must be determined. History has shown that with both pieces to the puzzle, governments can maneuver in advantageous ways to achieve nothing short of world change.
Many nations have elaborate infrastructures and organizations dedicated to these goals. They use a variety of Open Source Intelligence (OSINT), Human Intelligence (HUMINT), and Cyber Intelligence (CYBINT) methods to gather insights and data. Nowadays, OSINT is very effective and with the meteoric rise in social media sharing and personal applications, has become a highly productive tool at providing personal details of a populace. However, the deepest secrets and most private information is still difficult to come by. CYBINT can fill the gaps and provide the hard to come by intelligence and personal connections which are highly valuable for these campaigns.
With the wealth of personal data fleeced from OPM, an attacker can begin building a database of interlocking profiles. The result is a network showing people, connections, access, knowledge, and spheres of influence. This information will be blended with any other high confidence data, garnered from other sources, to paint a better picture of individuals who may be of interest. They will likely be looking for those who are active in local and national politics, drive or enforce inter-agency government policies, leaders and technical advisors to the military, those who possess influence in the decisions of others, have internal access to valuable data, are part of the offensive/defensive intelligence apparatus, and people who have earned the trust of those in power.
These people become targets of focus and opportunity for various types of influencing tactics, including bribery, blackmail, marketing, facilitation of revenge, social pressure, ethical conundrums, retribution of justice, and demonstrations of patriotism. Professional manipulators can be very creative in how to position and push people in certain directions.
Methods of Influence
These profiles are also intended to give insights to how people can be motivated and controlled. Building a collective social picture can show how key individuals are influenced. It may highlight the respected close community around a target who offer advice and guidance. Past indiscretions can provide an understanding of how someone is vulnerable to situations involving drugs, money, sex, ideology, or fame. This can be exactly what is needed by manipulators.
Personal and private information can be embarrassing or give the necessary signs of weakness. Some people can be blackmailed, threatened, tricked, cheated, bribed, or flipped to provide information, access, or facilitate the influence of others. A cascade effect can take place as people are linked. In rare cases, some assets may be groomed to become direct action operatives, where the risks, impacts, and rewards can be much higher.
Achieving success is no easy task for nation state orchestrators. Private information is a highly prized chip in this game. The more sensitive, revealing, and humiliating the data, the more valuable it is to those who plan to use it as leverage for their benefit.
Beyond the targeting of individuals, such data can be valuable in other ways. To disrupt the operational effectiveness of an organization, key personnel can be affected with campaigns to publicly embarrass or undermine renewals for top clearances therefore causing gaps or delays in the work of important positions. This can also provide advancement avenues for others who may be more conducive to support the attacker’s objectives.
Compromising computer systems becomes much easier. In the cybersecurity realm, private information and a list of known contacts makes phishing attacks near impossible to defend against. Emails, texts, attachments, and files can appear to be sent from friends, family, coworkers, academia, and professional colleagues with no good way for the average person to discern the difference between legitimate and malicious, until it is too late. These phishing attacks can bypass system defenses and allow hackers to gain access to computers, networks, databases, and cloud environments. Follow-on attacks in this manner should be expected, both at home and work. Infecting and controlling devices of people with security clearances is an opportunity not likely passed-up by nation state attackers.
The data itself has value and can be sold, traded, or given to a variety of other groups. Terrorists, allies, political rivals, in-country revolutionaries, radicals, or other nation state intelligence agencies would be likely interested parties.
There are national economic advantages as well. Discretely providing profile data to state-owned companies can greatly improve their business negotiations, bidding, pricing, employee recruiting activities, and overall competiveness abroad. This can boost domestic economies while undermining foreign positions.
Politically, in a bit of irony, such attacks may also drive the desire of attacked nations to establish international accords governing global cybersecurity practices with their attackers. In essence, hacking can motivate governments to come to the negotiation table and put them at a disadvantage in the agreement of terms.
With the loss of millions of highly personal records, the outlook is not a pretty picture. Time will tell which of these tactics will be employed by those who took OPM data. But keep in mind such spycraft has been around for thousands of years. The intents and purposes are not new, just the scale, tactics, and tools have changed to include the information rich world of cyber.
My heart goes out to those whose data was part of the recent breach, their families, friends, and associates. In a very personal way, they are all now part of a larger geopolitical game. Take all necessary precautions to protect your name, reputation, finances, history, and honor. Although the attack cannot be undone, governments around the world can learn from these situations and institute better controls, data policies, and political responses to protect future generations.