threatintel
actor tracker
Named attack · kill-chain walkthrough

OPM Breach

21.5 million cleared-personnel records to Chinese intelligence

Deep Panda (China MSS-affiliated)May 2014 – April 2015 (discovered April 15, 2015)Moderate confidence

Attributed by U.S. officials to Chinese government-affiliated hackers; open-source reporting points to the Jiangsu State Security Department, a component of China's Ministry of State Security (MSS). CrowdStrike publicly links the Sakula RAT used in related intrusions to Deep Panda (G0009). No public DOJ indictment names this intrusion. Director of National Intelligence James Clapper acknowledged Chinese capabilities in obtaining the data.

In two overlapping intrusions spanning nearly a year, China MSS-affiliated actors compromised the U.S. Office of Personnel Management and exfiltrated the most sensitive personnel database in the U.S. government. Using credentials stolen from a KeyPoint Government Solutions contractor, attackers installed PlugX and Sakula RATs, located the background-investigation repository, and exfiltrated approximately 21.5 million SF-86 security-clearance forms — including 5.6 million sets of fingerprints — along with 4.2 million federal employee personnel records. The SF-86 files contained decades of intimate personal data on cleared personnel and their families, giving Chinese intelligence a near-complete map of the U.S. national-security workforce.

scene 00 / 07
Deep PandaChina MSS-affiliatedG0009breachKeyPoint Gov. Solutionsbackground-check contractorbreached late 2014OPM creds stolenT1078 · T1078.003USIS (predecessor)breached Aug 2014SAP vuln · 27K DHS recordsvalid login — no MFAOPM network perimeterX2 intrusion — May 7, 2014PlugX RATmodular pluginsHTTP / HTTPS C2used by 16+ APT groupsS0013Sakula RATHTTP · XOR-encodedDLL side-load via signedKaspersky / McAfee binaryS0074 · T1574.001Registry Run keys · Windows ServiceT1547.001 · T1543.003keylogger onDBA workstationsT1056.001C2 Infrastructureopmlearning.orgreg. July 29, 2014mimics OPM training portalwdc-news-post.comreg. March 3, 2015mimics DC news outletT1071.001 · T1573.001 · T1583.001DBA creds capturedkeylogger harvestprivilege escalationT1056.001 · T1003Database discoverye-QIP system locatedpersonnel file stores mappedT1018 · T1083SF-86 forms~21.5 million records127-page clearance appsJul–Aug 2014T1213 · T1074.001Personnel records~4.2 million filesemployment, pay, HR dataDecember 2014T1005Fingerprints5.6 million setsbiometric — cannot be changedfrom Mar 26, 2015T1005Exfiltration over HTTPS C211 months undetected · T1041 · T1048.002~22.1M total records → Chinese intelligenceDiscoveryApril 15, 2015Cylance product evalnot Einstein IDS11 months post-intrusionPublic DisclosureJune 4, 2015Director Archuleta resignsJuly 10, 2015CIO Seymour resigns Feb 2016House ReportSept 7, 2016"Jeopardized national securityfor more than a generation"no DOJ indictment (cf. Equifax)
  1. Phase 01 · Initial AccessTA0001

    Stolen KeyPoint contractor credentials open OPM's perimeter without an exploit

    • Attackers posed as a KeyPoint Government Solutions employee using that contractor's legitimate OPM-issued credentials — no vulnerability exploitation was required to cross the network perimeter.
    • KeyPoint had itself been breached in late 2014, exposing credentials for tens of thousands of federal workers. USIS, KeyPoint's predecessor as OPM's background-investigation contractor, was separately breached in August 2014 via an SAP vulnerability.
    • OPM had not enforced multi-factor authentication on remote access; single-factor credential reuse went undetected because the logins appeared legitimate.
    • A first, smaller intrusion ('X1') was detected on March 20, 2014 after a third party notified DHS. A second, more damaging intrusion ('X2') began May 7, 2014 via contractor credentials and was not discovered until April 15, 2015.
    Techniques
    T1078 · Valid AccountsT1078.003 · Valid Accounts: Local Accounts
    Sources
  2. Phase 02 · Execution & PersistenceTA0002

    PlugX and Sakula RATs installed, registry run keys and Windows services anchor the foothold

    • After logging in via stolen credentials, attackers installed PlugX — a modular remote-access tool widely associated with Chinese APT operations — to establish a persistent, remotely controllable foothold inside OPM systems.
    • Sakula RAT (also known as Sakurel / VIPER), publicly linked to Deep Panda by CrowdStrike, was also deployed. Sakula communicates over HTTP using single-byte XOR-encoded traffic, making it resemble ordinary web traffic.
    • Sakula achieves persistence via Windows Registry Run keys and as an installed Windows service. DLL side-loading using signed antivirus binaries (Kaspersky or McAfee) was used to masquerade the malicious DLL as a trusted process.
    • Keystroke-logging capability was confirmed on database administrator workstations, enabling credential harvesting from privileged OPM accounts.
    Techniques
    T1059.003 · Command and Scripting Interpreter: Windows Command ShellT1547.001 · Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1543.003 · Create or Modify System Process: Windows ServiceT1574.001 · Hijack Execution Flow: DLL Search Order Hijacking
    Sources
  3. Phase 03 · Command & ControlTA0011

    Attacker-registered domains blending into government-adjacent names beacon out over HTTPS for nearly a year

    • opmlearning.org was registered July 29, 2014, mimicking an OPM training or learning portal. It served as a primary C2 node for malware operating inside OPM's network.
    • wdc-news-post.com was registered March 3, 2015, mimicking a Washington DC news outlet. It replaced or supplemented earlier C2 infrastructure as the operation matured.
    • Sakula's C2 traffic is encoded with single-byte XOR and transmitted over HTTP, blending with normal web traffic; PlugX supports HTTP, HTTPS, and raw TCP/UDP depending on configuration.
    • The operation ran undetected for roughly eleven months (May 2014 – April 2015), indicating the C2 traffic was not flagged by OPM's monitoring tools — OPM lacked network-level traffic inspection capability at the time.
    Techniques
    T1071.001 · Application Layer Protocol: Web ProtocolsT1573.001 · Encrypted Channel: Symmetric CryptographyT1583.001 · Acquire Infrastructure: Domains
    Indicators
    opmlearning.org — C2 domain registered July 29, 2014 — House Oversight Committee reportwdc-news-post.com — C2 domain registered March 3, 2015 — House Oversight Committee report
    Sources
  4. Phase 04 · Credential Access & DiscoveryTA0006

    Keyloggers on DBA workstations harvest privileged credentials; attackers map the clearance database

    • Keystroke-logging malware was confirmed installed on database administrator workstations, directly capturing the credentials used to access OPM's most sensitive databases.
    • With DBA-level credentials, attackers could enumerate the network and locate the e-QIP system (Electronic Questionnaires for Investigations Processing), which held SF-86 background-investigation records.
    • OPM's November 2014 Inspector General report had already flagged the lack of a comprehensive server/database inventory and absence of multi-factor authentication — weaknesses attackers exploited months before the report was published.
    • Attackers performed file and directory enumeration to identify where personnel records and background-investigation files were stored before staging data for exfiltration.
    Techniques
    T1056.001 · Input Capture: KeyloggingT1003 · OS Credential DumpingT1083 · File and Directory DiscoveryT1018 · Remote System Discovery
    Sources
  5. Phase 05 · CollectionTA0009

    SF-86 forms, fingerprints, and personnel files staged for exfiltration over months

    • Background-investigation (SF-86) records were exfiltrated during July–August 2014, covering approximately 21.5 million individuals — including current, former, and prospective federal employees and contractors who had applied for security clearances, plus their spouses and cohabitants.
    • SF-86 forms are 127-page questionnaires capturing decades of personal history: financial records, drug use, mental health consultations, foreign contacts, family members, past addresses, and neighbors who were interviewed.
    • Approximately 4.2 million personnel records — covering employment history, salaries, and performance ratings for current and former federal employees — were exfiltrated in December 2014.
    • 5.6 million sets of fingerprints were exfiltrated beginning March 26, 2015; their intelligence value was assessed as particularly long-lived since fingerprints cannot be changed.
    Techniques
    T1213 · Data from Information RepositoriesT1005 · Data from Local SystemT1074.001 · Data Staged: Local Data Staging
    Sources
  6. Phase 06 · ExfiltrationTA0010

    21.5 million SF-86 records and 5.6 million fingerprints leave over HTTPS — undetected for nearly a year

    • Data was exfiltrated over the established PlugX/Sakula C2 channels using HTTPS, making the traffic difficult to distinguish from legitimate encrypted web traffic without deep packet inspection.
    • The exfiltration spanned at least three distinct periods: background files (July–August 2014), personnel records (December 2014), and fingerprint data (beginning March 26, 2015).
    • OPM lacked the network monitoring tools to detect large-volume data egress; the November 2014 IG report explicitly noted the absence of real-time monitoring and a complete server inventory.
    • The operation continued undetected until April 15, 2015, when OPM staff deploying a new Cylance endpoint product noticed indicators of compromise — not the Einstein intrusion-detection system.
    Techniques
    T1041 · Exfiltration Over C2 ChannelT1048.002 · Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
    Sources
  7. Phase 07 · Discovery & DisclosureTA0040

    Cylance demo catches the breach on April 15; public disclosure June 4 triggers congressional fury

    • On April 15, 2015, OPM personnel running a Cylance endpoint security product during an evaluation discovered indicators of compromise — ending an intrusion that had persisted for approximately eleven months.
    • OPM publicly announced the breach on June 4, 2015. Director Katherine Archuleta resigned July 10, 2015; CIO Donna Seymour resigned February 22, 2016 — on the day she was scheduled to testify before Congress.
    • FBI Director James Comey called the breach 'a very big deal from a national security perspective,' describing OPM's data as 'a treasure trove of information about everybody who has worked for, tried to work for, or works for the United States government.'
    • DNI James Clapper acknowledged Chinese capabilities in obtaining the data, stopping short of formal public attribution. U.S. officials privately and then publicly described the perpetrators as Chinese government-affiliated.
    • The House Committee on Oversight and Government Reform published its majority staff report 'The OPM Data Breach: How the Government Jeopardized Our National Security for More Than a Generation' on September 7, 2016, excoriating OPM leadership for ignoring years of Inspector General warnings.
    • No public DOJ indictments have named the OPM intrusion specifically; by 2017, Chinese national Yu Pingan was arrested for separately providing the Sakula malware to hackers, though not charged directly for OPM.
    Techniques
    T1489 · Service Stop
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Deep Panda (China MSS-affiliated)
Capability
  • T1078
  • T1078.003
  • T1059.003
  • T1547.001
  • T1543.003
  • +1 more
Infrastructure
  • opmlearning.org
  • wdc-news-post.com
Victim
  • See narrative above
Primary sources