Foreign spy services, especially in China and Russia, are aggressively aggregating and cross-indexing hacked U.S. computer databases — including security clearance applications, airline records and medical insurance forms — to identify U.S. intelligence officers and agents, U.S. officials said.
At least one clandestine network of American engineers and scientists who provide technical assistance to U.S. undercover operatives and agents overseas has been compromised as a result, according to two U.S. officials.
The Obama administration has scrambled to boost cyberdefenses for federal agencies and crucial infrastructure as foreign-based attacks have penetrated government websites and email systems, social media accounts and, most important, vast data troves containing Social Security numbers, financial information, medical records and other personal data on millions of Americans.
Counterintelligence officials say their adversaries combine those immense data files and then employ sophisticated software to try to isolate disparate clues that can be used to identify and track — or worse, blackmail and recruit — U.S. intelligence operatives.
Digital analysis can reveal “who is an intelligence officer, who travels where, when, who’s got financial difficulties, who’s got medical issues, [to] put together a common picture,” William Evanina, the top counterintelligence official for the U.S. intelligence community, said in an interview.
Asked whether adversaries had used this information against U.S. operatives, Evanina said, “Absolutely.”
Evanina declined to say which nations are involved. Other U.S. officials, speaking on condition of anonymity to discuss internal assessments, say China and Russia are collecting and scrutinizing sensitive U.S. computer files for counterintelligence purposes.
U.S. cyberspying is also extensive, but authorities in Moscow and Beijing frequently work in tandem with criminal hackers and private companies to find and extract sensitive data from U.S. systems, rather than steal it themselves. That limits clear targets for U.S. retaliation.
The Obama administration marked a notable exception last week when a U.S. military drone strike near Raqqah, Syria, killed the British-born leader of the CyberCaliphate, an Islamic State hacking group that has aggressively sought to persuade sympathizers to launch “lone wolf” attacks in the United States and elsewhere.
Junaid Hussain had posted names, addresses and photos of about 1,300 U.S. military and other officials on Twitter and the Internet, and urged his followers to find and kill them, according to U.S. officials. They said he also had been in contact with one of the two heavily armed attackers killed in May outside a prophet Muhammad cartoon contest in Garland, Texas. Hussain is the first known hacker targeted by a U.S. drone.
The Pentagon also is scouring the leaked list of clients and their sexual preferences from the Ashley Madison cheating website to identify service members who may have violated military rules against infidelity and be vulnerable to extortion by foreign intelligence agencies.
Far more worrisome was last year’s cyberlooting — allegedly by China — of U.S. Office of Personnel Management databases holding detailed personnel records and security clearance application files for about 22 million people, including not only current and former federal employees and contractors but also their families and friends.
“A foreign spy agency now has the ability to cross-check who has a security clearance, via the OPM breach, with who was cheating on their wife via the Ashley Madison breach, and thus identify someone to target for blackmail,” said Peter W. Singer, a fellow at the nonprofit New America Foundation in Washington and coauthor of the book “Cybersecurity and Cyberwar.”
The immense data troves can reveal marital problems, health issues and financial distress that foreign intelligence services can use to try to pry secrets from U.S. officials, according to Rep. Adam B. Schiff of Burbank, the top Democrat on the House Intelligence Committee.
“It’s very much a 21st century challenge,” Schiff said. “The whole cyberlandscape has changed.”
U.S. intelligence officials have seen evidence that China’s Ministry of State Security has combined medical data snatched in January from health insurance giant Anthem, passenger records stripped from United Airlines servers in May and the OPM security clearance files.
The Anthem breach, which involved personal data on 80 million current and former customers and employees, used malicious software that U.S. officials say is linked to the Chinese government. The information has not appeared for sale on black market websites, indicating that a foreign government controls it.
U.S. officials have not publicly blamed Beijing for the theft of the OPM and the Anthem files, but privately say both hacks were traced to the Chinese government.
The officials say China’s state security officials tapped criminal hackers to steal the files, and then gave them to private Chinese software companies to help analyze and link the information together. That kept the government’s direct fingerprints off the heist and the data aggregation that followed.
In a similar fashion, officials say, Russia’s powerful Federal Security Service, or FSB, has close connections to programmers and criminal hacking rings in Russia and has used them in a relentless series of cyberattacks.
According to U.S. officials, Russian hackers linked to the Kremlin infiltrated the State Department’s unclassified email system for several months last fall. Russian hackers also stole gigabytes of customer data from several U.S. banks and financial companies, including JPMorgan Chase & Co., last year.
A Chinese Embassy spokesman, Zhu Haiquan, said Friday that his government “firmly opposes and combats all forms of cyberattacks in accordance with the law.” The Russian Embassy did not respond to multiple requests for comment. U.S. intelligence officials want President Obama to press their concerns about Chinese hacking when Chinese President Xi Jinping visits the White House on Sept. 25.
After the recent breaches, U.S. cybersecurity officials saw a dramatic increase in the number of targeted emails sent to U.S. government employees that contain links to malicious software.
In late July, for example, an unclassified email system used by the Joint Chiefs and their staff — 4,000 people in all — was taken down for 12 days after they received sophisticated “spear-phishing” emails that U.S. officials suspect was a Russian hack.
The emails appeared to be from USAA, a bank that serves military members, and each sought to persuade the recipient to click a link that would implant spyware into the system.
Defense Secretary Ashton Carter said the hack shows the military needs to boost its cyberdefenses.
“We’re not doing as well as we need to do in job one in cyber, which is defending our own networks,” Carter said Wednesday. “Our military is dependent upon and empowered by networks for its effective operations.... We have to be better at network defense than we are now.”
Carter spent Friday in Silicon Valley in an effort to expand a partnership between the Pentagon, academia and the private sector that aims to improve the nation’s digital defenses. Carter opened an outreach office in Mountain View this year to try to draw on local expertise.
U.S. intelligence officers are supposed to cover their digital tracks and are trained to look for surveillance. Counterintelligence officials say they worry more about the scientists, engineers and other technical experts who travel abroad to support the career spies, who mostly work in U.S. embassies.
The contractors are more vulnerable to having their covers blown now, and two U.S. officials said some already have been compromised. They refused to say whether any were subject to blackmail or other overtures from foreign intelligence services.
But Evanina’s office, the National Counterintelligence and Security Center, based in Bethesda, Md., has recently updated pamphlets, training videos and desk calendars for government workers to warn them of the increased risk from foreign spy services.
“Travel vulnerabilities are greater than usual,” reads one handout. Take “extra precaution” if people “approach you in a friendly manner and seem to have a lot in common with you.”