The disclosure by U.S. officials that Chinese hackers stole records of as many as 4 million government workers is now being linked to the thefts of personal information from health-care companies.
Forensic evidence indicates that the group of hackers responsible for the U.S. government breach announced Thursday likely carried out attacks on health-insurance providers Anthem Inc. and Premera Blue Cross that were reported earlier this year, said John Hultquist of iSight Partners Inc. The cyber-intelligence company works with federal investigators.
The thefts are thought to be part of a broader effort by Chinese hackers to obtain health-care records and other personal information stored on millions of U.S. government employees and contractors from various sources, including insurers, government agencies and federal contractors, said a U.S. intelligence official, speaking on condition of anonymity.
The data could be used to target individuals with access to sensitive information who have financial, marital or other problems and might be subject to bribery, blackmail, entrapment and other espionage tools, the official said.
“It is not only the scale that is of interest -- 4 million employees -- or even that the reason could be to use the information to recruit spies in America, but that people are now part of China-critical nodes in their cyber strategy,” said Rosita Dellios, an associate professor of international relations at Bond University on Australia’s Gold Coast.
“Usually in cyber strategy, it is critical infrastructure like energy grids, transportation, and satellites that are mentioned. Here we have a whole class of people crucial to U.S. security being targeted,” she said.
The hackers, thought to have links to the Chinese government, got into the U.S. Office of Personnel Management computer system late last year, according to one U.S. official, who asked for anonymity to discuss the investigation. The intrusion was detected in April and it took U.S. investigators a month to conclude that the files had been compromised. It was one of the largest breaches of government personnel data.
Indianapolis-based Anthem, which runs Blue Cross and Blue Shield health plans, said in February that hackers stole information on about 80 million customers, exposing Social Security numbers and other sensitive data. In March, Premera Blue Cross, a Spokane, Washington-based company that operates in the northwestern U.S., said information on 11 million people may have been exposed.
A spokesman for the Chinese Embassy in Washington, Zhu Haiquan, said his country’s laws prohibit cybercrimes and China works to combat violations.
“Cyber-attacks conducted across countries are hard to track and therefore the source of attacks is difficult to identify,” he said in an e-mailed statement. “Jumping to conclusions and making hypothetical accusation is not responsible and counterproductive.”
The revelations could complicate the agenda for Chinese President Xi Jinping’s first state visit to the U.S. in September. Ties between the two countries already are strained over U.S. demands that China stop its island-building program in the South China Sea.
White House press secretary Josh Earnest said Friday the government has drawn no official conclusions about who was behind the attack and said blame may not be publicly made once investigators finish their work.
“We’re dealing with a persistent adversary,” he told reporters in Washington. “In some cases, the less they know about what we know, the better.”
He repeatedly declined to comment on allegations that the hackers were based in China, but said that Obama has “raised China’s activities in cyber space as a significant source of concern” in every meeting he’s had with China’s leaders.
Earnest said a government cyberdefense initiative known as Einstein III was being accelerated, though not in response to revelations about the OPM attack. He added that it’s too early to say whether the program would have prevented the breach.
In the government hack disclosed Thursday, the thieves accessed information on individuals who applied for or were granted security clearances, among other things, according to a person familiar with the investigation who asked for anonymity. Such data often includes detailed interviews with friends and family members as well as information that could disqualify a candidate from receiving a clearance.
The personnel management office provides information on job candidates for agencies across the federal government, including whether those individuals are suitable for employment, according to the OPM website.
The Federal Bureau of Investigation and the Department of Homeland Security are investigating, according to a statement from OPM.
The hackers who breached the government and health company computers used unique techniques that amount to a digital fingerprint of sorts, allowing iSight researchers to link the three with “high confidence,” said Hultquist, head of cyber-espionage threat intelligence at the Dallas-based company. Hultquist declined to say whether his company is working on the investigations of the U.S. data breach or the health-care company hacks.
If that link holds up, it would tie some of the largest hacks of the last year to a single group of state-sponsored cyberspies.
Two people familiar with the investigation said the hackers are a unit linked to China’s civilian intelligence agency, the Ministry of State Security.
“These aren’t criminals and we don’t expect this stuff to show up on the black market,” Hultquist said. “We’re still struggling to understand why this sort of data is being targeted.”
The U.S. government plans to notify those who were potentially affected by the breach, and is offering free credit report access, credit monitoring and identity-theft insurance to those whose personal information was compromised.
The OPM said investigators may find that additional personnel files were compromised as they review the breach.
“We take very seriously our responsibility to secure the information stored in our systems,” OPM Director Katherine Archuleta said in the statement.
Donna Seymour, OPM’s chief information officer, said the information stolen was typical for a personnel file, including Social Security number, date and place of birth and benefit selections. Bank accounts and health information weren’t included and there’s no indication that any specific category of workers was targeted, she said.
U.S. Defense Secretary Ashton Carter said in April that Russian hackers had breached an unclassified Pentagon computer network. A “crack team of incident responders” began hunting the Russians within hours, he said in a speech at Stanford University that warned of the danger of cyber-attacks to the U.S. government.
Hackers are thought to have broken into an unclassified White House computer network last year at the behest of the Russian government. Some U.S. officials said the same hackers earlier breached State Department computers.
The White House hack may have been in retaliation for sanctions the U.S. imposed on Russia after its annexation of Crimea in March 2014, a person familiar with the incident said.
The Russian and Chinese governments have regularly dismissed allegations that they employ hackers to target U.S. computer systems.