China arrests alleged OPM hackers, claims breach was criminal, not state-sponsored

Chinese hackers were indeed responsible for compromising the security of the U.S. Office of Personnel Management, but state-run media claims the breach wasn’t at the behest of the government in Beijing.

As Chinese and American authorities met in Washington this week to weigh cybersecurity concerns and other hot-button issues, China acknowledged for the first time Wednesday that the OPM breach and subsequent theft of sensitive records pertaining to more than 20 million current and former U.S. government employees and contractors was carried out by Chinese hackers, the Xinhua newswire reported.

Contrary to the claims of U.S. officials, Xinhua claimed the high-profile hack was conducted not by government-hired cyberwarriors, but ordinary civilians.

“Through investigation, the case turned out to be a criminal case rather than a state-sponsored cyber attack as the U.S. side has previously suspected,” Xinhua reported.

The Obama administration has all but directly attributed the hack to Beijing and reportedly had considered imposing new sanctions on China until President Xi Jinping visited the White House in September, when both leaders agreed to roll back cyberattacks against one another. American security firms claim China has continued to attack U.S. networks in the months since, however, and experts remain skeptical of China’s latest claims.

“Any assertion by Chinese media that the OPM cyber attack was the work of criminals, not government agents, is in all likelihood bunk,” Brian Finch, a partner at technology law firm Pillsbury Winthrop Shaw Pittman LLP, told The Wall Street Journal. “Those criminal groups typically operate with the knowledge and consent of Chinese officials.”

James Lewis, an expert with the Center for Strategic and International Studies think tank, said those arrested were fall guys for the government.

“It’s a face-saving way of saying, ’It wasn’t us and we’ll put them in jail,’” he told Reuters. “Traditional kabuki in espionage is you write off your agents when it’s politically useful to do so.”

U.S. officials speaking on condition of anonymity said this week China had made a handful of arrests in connection with the breach before Mr. Xi’s September visit, The Washington Post reported Wednesday. 

“We don’t know that if the arrests the Chinese purported to have made are the guilty parties,” one of the sources told the newspaper. “There is a history [in China] of people being arrested for things they didn’t do or other ’crimes against the state.’”

The White House said previously that China had arrested five hackers ahead of Mr. Xi’s trip to D.C. upon the urging of American law enforcement, but their alleged crimes have not been disclosed. 

Social Security numbers, financial information, fingerprints and other information pertaining to roughly 21.5 million individuals who underwent background checks for OPM had their data compromised in the hack — the largest breach to ever affect a U.S. government network.