For more than five years, U.S. intelligence agencies followed several groups of Chinese hackers who were systematically draining information from defense contractors, energy firms and electronics-makers, their targets shifting to fit Beijing's latest economic priorities.
But last summer, officials lost the trail as some of the hackers changed focus again, burrowing deep into U.S. government computer systems that contain vast troves of personnel data, according to U.S. officials briefed on a federal investigation into the attack and private security experts.
Undetected for nearly a year, the Chinese intruders executed a sophisticated attack that gave them "administrator privileges" into the computer networks at the Office of Personnel Management, mimicking the credentials of people who run the agency's systems, two senior administration officials said. The hackers began siphoning a rush of data after constructing what amounted to an electronic pipeline that led back to China, investigators told Congress last week in classified briefings.
Much of the personnel data had been stored in the lightly protected systems of the Interior Department because it had cheap, available space for digital data storage. The hackers' ultimate target was the 1 million or so federal employees and contractors who have each filled out a form known as SF-86, which is stored in a different computer bank and details personal, financial and medical histories for anyone seeking a security clearance.
The administration is still trying to determine how many of the SF-86 national security forms -- which include information that could be useful for anyone seeking to identify or recruit a U.S. intelligence agent, nuclear weapons engineer or vulnerable diplomat -- had been stolen.
"This was classic espionage, just on a scale we've never seen before from a traditional adversary," one senior administration official said. "And it's not a satisfactory answer to say, 'We found it and stopped it,' when we should have seen it coming years ago."
The administration said it is urgently working to determine what other agencies are storing similarly sensitive information with weak protections. Officials would not identify their top concerns, but an audit issued early last year, before the Chinese attacks, harshly criticized lax security at the Internal Revenue Service, the Nuclear Regulatory Commission, the Energy Department, the Securities and Exchange Commission and the Department of Homeland Security, which has responsibility for securing the nation's critical networks.
At the Nuclear Regulatory Commission, which regulates nuclear facilities, information about crucial components was left on unsecured network drives, and the agency lost track of laptops that held critical data.
Computers at the IRS allowed employees to use weak passwords like "password." One report detailed 7,329 "potential vulnerabilities" because software patches had not been installed. Auditors at the Department of Education, which stores information from millions of student-loan applicants, were able to connect "rogue" computers and hardware to the network without being noticed. And at the Securities and Exchange Commission, part of the network had no firewall or intrusion protection for months.
A congressional report issued in February 2014 by the Republican staff of the Senate Homeland Security Committee concluded that multiple federal agencies with responsibility for critical infrastructure and holding vast amounts of information "continue to leave themselves vulnerable, often by failing to take the most basic steps towards securing their systems and information."
The report reserves its harshest criticism for the repeated failures of agency officials to take steps -- some of them very basic -- that would help thwart cyberattacks.
Computers at the Department of Homeland Security, which is in charge of protecting the nation's public infrastructure, contained hundreds of vulnerabilities as recently as 2010, according to authors of the report. They said computer security failures remained across agencies even though the government has spent "at least $65 billion" since 2006 on protective measures.
"We are not where we need to be in terms of federal cybersecurity," said Lisa Monaco, President Barack Obama's homeland security adviser. At an Aspen Institute conference in Washington on Tuesday, she blamed out-of-date "legacy systems" that have not been updated for a modern, networked world where remote access is routine. The systems are not continuously monitored to know who is online and what kind of data they are shipping out.
In congressional testimony and in interviews, officials investigating the breach at the personnel office have struggled to explain why the defenses were so poor for so long. Last week, the office's director, Katherine Archuleta, stumbled through a two-hour congressional hearing. She was unable to say why the agency did not follow through on inspector general reports, dating to 2010, that found severe security lapses and recommended shutting down systems with security clearance data.
When she failed to explain why much of the information in the system was not encrypted, Rep. Stephen Lynch, D-Mass., who usually supports Obama's initiatives, snapped at her. "I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers," he said, "as you are keeping information out of the hands of Congress and federal employees."
Josh Earnest, the White House spokesman, said Wednesday that Obama remained confident that Archuleta "is the right person for the job." Archuleta, who took office in November 2013, did not respond to a request for an interview.
But even some White House aides say a lack of focus by managers contributed to the security problems. It was not until early last year, as computer attacks began on U.S. Investigations Services, a private contractor that conducts security clearance interviews for the personnel office, that serious efforts to develop a strategic plan to seal up the agency's many vulnerabilities started.
Federal and private investigators piecing together the attacks now say they believe the same groups responsible for the attacks on the personnel office and the contractor had previously intruded on computer networks at health insurance companies, notably Anthem Inc. and Premera Blue Cross.
What those attacks had in common was the theft of millions of pieces of valuable personal data -- including Social Security numbers -- that have never shown up on black markets, where such information can fetch a high price. That could be an indicator of state sponsorship, according to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
While Obama publicly named North Korea as the country that attacked Sony Pictures Entertainment last year, he and his aides have described the Chinese hackers in the government records case only to members of Congress in classified hearings. Blaming the Chinese in public could affect cooperation on ongoing talks to limit the Iranian nuclear program as well as tensions with China's Asian neighbors.
China has denied involvement in the break-in and says it is also a victim of cyberattacks.
Sensitive meetings
The two countries' top diplomats and finance officials are to meet in Washington this week for the annual U.S.-China strategic and economic dialogue. The Obama administration says the two governments won't be papering over their differences, but they are expected to accentuate the positive, stressing areas of cooperation, like climate change.
Civilian and military officials are to meet Monday to discuss thorny security issues. Secretary of State John Kerry and Treasury Secretary Jacob Lew are to kick off two days of talks Tuesday with Vice Premier Wang Yang and State Councilor Yang Jiechi on an agenda that includes plans for a bilateral investment treaty.
China, in particular, is presenting the dialogue as a prelude to Xi Jinping's visit to the White House, which is set for September, his first since becoming China's president in 2013.
Foreign Ministry spokesman Lu Kang called it an opportunity to "push for new progress in the building of a new model of major power relationship," the state-run Xinhua news agency reported Friday.
As the push for a global climate-change deal intensifies ahead of a December summit of world leaders in Paris, Obama needs China's support. Obama and Xi committed to curbing emissions when they met in Beijing in November, which environmentalists hailed as a sign that reluctant nations like China were finally getting on board.
Information for this article was contributed by David E. Sanger, Nicole Perlroth and Michael D. Shear of The New York Times; and by Matthew Pennington of The Associated Press.
A Section on 06/21/2015