Washington CNN  — 

The four million federal workers who may have had their personal information hacked likely woke up this morning with a dominating question: How did this happen?

U.S. investigators believe Chinese hackers are responsible for the massive security breach at nearly every federal government agency, a law enforcement source and another US official told CNN on Thursday. The national security community is now working under the assumption that the Chinese have hundreds of thousands of security clearance forms.

RELATED: U.S. government hacked; feds think China is the culprit

While investigations into what precisely happened are in progress, here’s one possible theory, shared by multiple U.S. officials:

1. Find Agency X

Let’s say there is a U.S. government agency – Agency X – that does not update its server operating system software patches. We don’t know which agency it is because the federal government doesn’t want to reveal everything it knows to the Chinese and the cyber links the agency had to the Office of Personnel Management.

2. Spam

Between one and two years ago, that agency gets flooded with broad based phishing emails.

3. Get a federal worker to reply

That attack is successful, and the attacker, now known to be China, receives some replies from employees at Agency X.

4. Focus on Agency X

Based on those returns, the attacker then moves to more targeted spear phishing attacks against Agency X.

5. Find more points of entry

At least one – or maybe more – of the spear phishing attacks is successful. This is first point failure from lack of patching, or quickly securing a hole in the system.

6. Spread

Now, the attacker has a toehold into Agency X on a deep level, beyond an individual.

7. Discover vulnerabilities

The attacker then is able to find the unpatched vulnerability on the server software at Agency X. .

8. Become an admin

The attacker make his next move: Through that vulnerability, the attacker creates a fake administrator account and gave itself escalating privileges.

9. Create new users

Now, the attacker deploys those privileges to create new user accounts at Agency X.

10. Exploit fake users

Those user accounts are used to spearhead phish and a return from OPM.

11. Avoid detection

In April, the U.S. government learned of the ten-step plan to hack it. For two months, the federal government didn’t reveal the information publicly because they had not yet cleaned up the entire system. Nor did federal officials want the Chinese to know they were onto them.

So the American government also created a fake system, the U.S. official said, which absorbed the Chinese attacks without them knowing that U.S. officials had launched what is called a cyber “honeypot” that imitated the real deal.

The bottom line, according to the U.S. officials? Attackers eye unpatched vulnerabilities, and the Chinese found one.