WASHINGTON — For more than five years, American intelligence agencies followed several groups of Chinese hackers who were systematically draining information from defense contractors, energy firms and electronics makers, their targets shifting to fit Beijing’s latest economic priorities.
But last summer, officials lost the trail as some of the hackers changed focus again, burrowing deep into United States government computer systems that contain vast troves of personnel data, according to American officials briefed on a federal investigation into the attack and private security experts.
Undetected for nearly a year, the Chinese intruders executed a sophisticated attack that gave them “administrator privileges” into the computer networks at the Office of Personnel Management, mimicking the credentials of people who run the agency’s systems, two senior administration officials said. The hackers began siphoning out a rush of data after constructing what amounted to an electronic pipeline that led back to China, investigators told Congress last week in classified briefings.
Much of the personnel data had been stored in the lightly protected systems of the Department of the Interior, because it had cheap, available space for digital data storage. The hackers’ ultimate target: the one million or so federal employees and contractors who have filled out a form known as SF-86, which is stored in a different computer bank and details personal, financial and medical histories for anyone seeking a security clearance.
“This was classic espionage, just on a scale we’ve never seen before from a traditional adversary,” one senior administration official said. “And it’s not a satisfactory answer to say, ‘We found it and stopped it,’ when we should have seen it coming years ago.”
The administration is urgently working to determine what other agencies are storing similarly sensitive information with weak protections. Officials would not identify their top concerns, but an audit issued early last year, before the Chinese attacks, harshly criticized lax security at the Internal Revenue Service, the Nuclear Regulatory Commission, the Energy Department, the Securities and Exchange Commission — and the Department of Homeland Security, which has responsibility for securing the nation’s critical networks.
At the Nuclear Regulatory Commission, which regulates nuclear facilities, information about crucial components was left on unsecured network drives, and the agency lost track of laptops with critical data.
Computers at the I.R.S. allowed employees to use weak passwords like “password.” One report detailed 7,329 “potential vulnerabilities” because software patches had not been installed. Auditors at the Department of Education, which stores information from millions of student loanapplicants, were able to connect “rogue” computers and hardware to the network without being noticed. And at the Securities and Exchange Commission, part of the network had no firewall or intrusion protection for months.
“We are not where we need to be in terms of federal cybersecurity,” said Lisa Monaco, President Obama’s homeland security adviser. At an Aspen Institute conference in Washington on Tuesday, she blamed out-of-date “legacy systems” that have not been updated for a modern, networked world where remote access is routine. The systems are not continuously monitored to know who is online, and what kind of data they are shipping out.
In congressional testimony and in interviews, officials investigating thebreach at the personnel office have struggled to explain why the defenses were so poor for so long. Last week, the office’s director, Katherine Archuleta, stumbled through a two-hour congressional hearing. She was unable to say why the agency did not follow through on inspector general reports, dating back to 2010, that found severe security lapses and recommended shutting down systems with security clearance data.
When she failed to explain why much of the information in the system was not encrypted — something that is standard today on iPhones, for example — Representative Stephen F. Lynch, a Massachusetts Democrat who usually supports Mr. Obama’s initiatives, snapped at her. “I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers,” he said, “as you are keeping information out of the hands of Congress and federal employees.”
Her performance in classified briefings also frustrated several lawmakers. “I don’t get the sense at all they understand the problem,” said Representative Jim Langevin, a Rhode Island Democrat, who called for Ms. Archuleta’s resignation. “They seem like deer in the headlights.”
Josh Earnest, the White House spokesman, said on Wednesday that Mr. Obama remained confident that Ms. Archuleta “is the right person for the job.” Ms. Archuleta, who took office in November 2013, did not respond to a request for an interview.