In June 2015, the US Office of Personnel Management (OPM) announced that it had been the target of a data breach targeting the records of as many as four million people. The final estimate of the number of people impacted is 22.1 million. This includes records of people who had undergone background checks, as well as their friends and family, many of whom were not government employees. It has been described by federal officials as among the largest breaches of government data in the history of the US. Information targeted in the breach included personally identifiable information (Pii) such as Social Security numbers, as well as names, dates and places of birth, and addresses.
The data breach consisted of two separate but linked attacks. It is unclear when the first attack was initiated, but the second attack happened on 7 May 2014 when attackers posed as an employee of KeyPoint Government Solutions, a subcontracting company. The first attack was discovered on 24 March 2014, but the second attack was not discovered until 15 April 2015.
Because of these breaches, unknown parties may already have lists of people to target for recruitment. This data, plus social media sources can fill in the gaps of a person’s personal and professional profiles. This presents security questions such as, “Do you have anyone at your organization with a security clearance? Do you personally have a clearance, or did you in the past?” If so, you should be aware of the continuing cyber-enabled scheme that China is running to recruit US citizens.
The US Department of Justice (DOJ) revealed detailed attack tactics in a recent court case. The case detailed the targeting of employees inside US federal government agencies. DOJ explains this is an example of how China is trying to exploit the collaborative nature of US society.
"This case serves as a reminder that China is using professional networking social media sites to target US citizens with both current and past government security clearances, and to try to gain non-public and classified information. The threat is real, and we will prosecute foreign agents who exploit those platforms," said Michael R. Sherwin, Acting US Attorney for the District of Columbia.
China recruiting US citizens: The Operator
Dickson Yeo is from Singapore and started working for the Chinese government in 2015. At first, he helped China secretly pump knowledge from individuals in Asian countries. Once he was ready, he then was tasked with targeting people in the US. And at some point prior to 2014, he focused his attacks on employees of the DOJ. Yeo admitted his scheme on behalf of Chinese intelligence and was recently sentenced to 14 months in federal prison. So another question needs to be asked, “How many more active ‘consultants’ are involved in this project?”
China recruiting US citizens: Step 1
The first thing Yeo did was spend time on social networking sites; too many analysts, it sounds like LinkedIn was used, although this was never specified through the DOJ. Regardless, this is the start of his cyber-enabled recruitment:
"Yeo used the professional networking website to find individuals with resumes and job descriptions suggesting that they would have access to valuable information. After he identified individuals worth targeting, Yeo followed guidance he received from Chinese intelligence operatives regarding how to recruit potential targets, including identifying their vulnerabilities, such as dissatisfaction with work or financial difficulties."
China recruiting US citizens: Step 2
Next, Yeo posed as a consultant from a US consulting firm. "Yeo created a fake consulting company utilizing the same name as a prominent US consulting firm that conducts public and government relations. Then Yeo posted job advertisements under that company name."
China recruiting US citizens: Step 3
Now, posing as a consultant from a trusted brand and with his target list developed, he was ready to secretly recruit US government and military employees to unknowingly give information to Chinese intelligence. "...he (Yeo) solicited them for non-public information and paid them to write reports. Yeo told these American targets that the reports were for clients in Asia, without revealing that they were in fact destined for the Chinese government."
This is not to say any US citizens gave up secrets, but rather, they may have detailed certain aspects of their research or knowledge on a topic that would help China develop a similar knowledge discipline. An Assistant Attorney General for National Security explained this about the 2014 incident involving the People's Republic of China (PRC): "At the direction of the Government of the People’s Republic of China, Yeo recruited Americans to provide information that he would pass back to his PRC handlers. Yeo concealed his PRC affiliation from his recruits and, contrary to law, from the United States Government.”
This criminal conduct is part of the PRC’s efforts to exploit the openness of American society by using agents who may appear innocuous, but who act upon taskings from a foreign government to obtain access and information." The DOJ presents this method of recruiting as a kind of standard operating procedure by the Chinese government - one that targets both current and former security clearance holders. It is viewed as such a threat that the FBI and the National Counterintelligence and Security Center (NCSC) recently released a training video explaining these espionage efforts titled, The Nevernight Connection
Alan E. Kohler, assistant director of the FBI's Counterintelligence Division, explains, “As this movie highlights, foreign intelligence services are posing as headhunters and consultants on professional networking sites to aggressively target Americans. We believe it's critically important to educate the public in order to neutralize this threat from foreign intelligence services."
So what are signs China might be targeting you to share information?
The FBI explains all US citizens should be aware and watch for the following warning signs that you are being targeted by or sucked into a Chinese recruitment scheme:
- It is too good to be true: "Be suspicious of jobs offering remote or flexible work and a disproportionately high salary for the role advertised."
- Flattery: "Your contact may overly praise or focus on your skills and experience or refer to you as a 'high-end' candidate (especially if your government affiliation is known)."
- Scarcity: "There may be an emphasis on a so-called limited, one-off, or exclusive opportunities."
- Lack of depth/detail: "There may be a lack of any visible or verifiable company information available online and/or the role itself lacks tangible details."
- Urgency: "Your contact might be overly responsive to messages and may attempt to rush you off the networking platform onto another communication method."
- Imbalance: "There may be a disproportionate focus on the company you are being recruited for rather than the company validating you as a possible candidate."
The US government is continuing to conduct security awareness training around this threat campaign: The threat is real. Think before you link.
Red Sky Alliance offers tools and services to help stop cyber-attacks.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company-wide.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cybersecurity software, services, and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
Our services can help protect with attacks similar to the Comcast hack. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941