A number of media reports have emerged in the past 24 hours suggesting that sensitive personal data from U.S. government employees that was stolen in the most recent Office of Personnel Management (OPM) breach has been leaked for sale on the dark web. In order to determine the accuracy of these claims, Flashpoint has obtained the sample database of purported OPM data being traded in the dark web in order to assess its credibility.
The data in question was leaked online by actor “Ping,” a moderator of the “Hell” dark web forum, which resides on the Tor network. The alleged OPM database contains usernames, email addresses, hashed and salted passwords, and login timestamp data for some 22,528 accounts.
Flashpoint analysts believe that this alleged OPM data is not from this most recently publicized hack which has been widely attributed to Chinese state-sponsored APT groups in the media.
The purported leaked database does contain a remarkably diverse list of federal employees, including members of the military, the Department of Prisons, NASA, and others–and it would be difficult to collect the diverse number of email addresses represented in this dump from a single source other than the OPM. That said, the database does not have any data indicating that this database was freshly stolen as the most recent OPM hack reports would indicate.
Uncorroborated timestamp data indicates the database was accessed on March 31, 2014, possibly indicating the database being offered by Ping on the “Hell” dark web forum was actually recycled from a previous hack that appears to have taken place around March 2014. Media reporting from July 2014 confirms that the OPM was compromised at this time.
It is also possible that the data is compiled from a myriad of other breaches and labeled as the data from OPM. In this case, the release of the data could simply be an attempt to capitalize on the media attention surrounding the most recent breach with the goal of profiting off of others willing to purchase such data.
If this indeed were data from the reported OPM breaches in 2014 and 2015, it would represent a dramatic and unlikely shift in the tactics, techniques, and procedures (TTPs) of cyber espionage (otherwise known as Advanced Persistent Threat [APT]) actors. State-sponsored APT groups are generally not in the habit of publicly releasing stolen data, even for a profit, as the value of the intelligence itself far outweighs any possible limited financial gain. In the slim possibility the data released on the “Hell” dark web forum is indeed from the 2014 or most recent OPM breaches, it would suggest one of the following:
- The attribution to Chinese state-sponsored APT actors for the OPM compromises in 2014 and 2015 is inaccurate;
- APT groups are shifting TTPs and/or are engaged in a deception campaign;
- A rogue APT operator is attempting to profit from the sale of the stolen data, perhaps without authorization from his/her superiors.