OPM Hack Victims Now Targets of a Ransomware Attack

It was June 2015 when the Office of Personnel Management (OPM) was revealed to be the victim of a breach, an infamous incident which was one of the largest breaches of a federal institution. Now, some of the 22 million affected federal employees are being targeted with ransomware, according to Forbes.

The OPM breach had security experts and officials pointing to state-sponsored Chinese hackers whose motivation to compromise personally identifiable information (PII) wasn’t immediately clear.

Now, security researchers at PhishMe have started observing spear-phishing emails targeting victims of the hack, with a ransomware payload. The messages are purporting to appear like official communications stemming from the OPM in its attempt to trick the user into opening a .ZIP file that contains the Locky ransomware.

The ZIP archive included within these phishing emails contains a JavaScript application that downloads and runs a sample of the Locky ransomware when triggered.

Researchers from PhishMe wrote:

This phishing narrative comes with a few notable implications. First, emails that are designed to appear as if they were sent by the OPM and the threat actors hope that these are more likely to appeal to government workers and employees of government contractors.

Secondly, the threat actors may also how that these messages are also more likely to appeal to individuals who have been subject to a loss of personal information as a result of the high-profile OPM breach.

In what is a very precise and well-calculated effort, the phishing emails are, in particular, targeting people who have had previous dealings with the OPM, including those who may have received genuine emails OPM emails that look similar to the phishing emails.

While a typical ransomware operation is very likely to be low on the list of reasons as to why a state-sponsored operation compromised the OPM to begin with, the ransomware run could well be a smokescreen. A distraction to pull observers’ attention from, perhaps, another stage of the attack.

Image credit: Flickr.