Anti-Malware , Data Breach , Data Loss

Chinese Man Allegedly Tied to OPM Breach Malware Arrested

Sakula Malware Used in Both Anthem and Office of Personnel Management Breaches
Chinese Man Allegedly Tied to OPM Breach Malware Arrested
Yu Pingan, pictured in the FBI's affidavit against him.

The FBI has arrested a Chinese national on charges that he was a "malware broker" who distributed a remote-access Trojan called Sakula. The malware has been tied to multiple mega-breaches, including attacks against health insurer Anthem and the U.S. Office of Personnel Management.

See Also: Ransomware: The Look at Future Trends

Yu Pingan, 36, of Shanghai, was arrested Wednesday after he flew to the United States to attend an unnamed conference, CNN reports.

The FBI could not be immediately reached for comment, but the bureau confirmed the arrest to CNN.

A complaint against Yu Pingan, a.k.a. "GoldSun," was filed Monday and unsealed Tuesday.

Indictment against Yu Pingan, filed August 21 and unsealed August 22.

Sakula malware was the focus of an FBI Flash Alert published in June 2015. The malware was also detailed in a 2015 blog post published by Airbus.

The malware was used in the OPM breach - one of the worst breaches to have ever affected the U.S. government. It resulted in the exposure of millions of government workers' Social Security numbers, as well as security clearance forms filled with detailed and often extremely private personal information.

An FBI affidavit related to Yu's arrest accuses him of distributing Sakula malware. The affidavit also ties the malware to intrusions of at least four unnamed companies: "San Diego-based company A, Massachusetts-based company B, Los Angeles-based company C, and Arizona-based company D." The intrusions allegedly began around 2010 for company C, and continued in some cases until July 2015, for company B.

Sakula is known to have targeted a U.S. turbine manufacturer, Capstone Turbine, based in Los Angeles. Based on previously published research, which correlates with malware detailed in the affidavit, company C appears to be Capstone Turbine.

The FBI says attackers utilized watering hole attacks - infecting a site they suspected victims would visit with malware - and made use of zero-day exploits.

"The intrusion into company C began in approximately January 2010," reads the affidavit, submitted by FBI Special Agent Adam James, a former information security consultant who works from the FBI's San Diego field office and has investigated cybercrime for the bureau since 2010.

"In September 2012, malicious files were installed on company C's web server (the server that hosts the company's website) as part of a watering hole attack that, between Sept. 18, 2012 and Sept. 19, 2012, distributed malicious code to 147 unique U.S.-based IP addresses, using a zero-day exploit now known as CVE-2012-4969. Between May 2012 and January 2013, Company C's web server hosted no less than five variants of Internet Explorer zero-day exploits."

Yu Allegedly Detailed Malware via Gmail

Attacks that utilize Sakula malware are relatively rare, and the FBI says it has evidence showing Yu discussing the malware before it was ever seen used in attacks.

"Seized emails tie Yu and UCC [uncharged co-conspirator] #1 to this previously unknown malware," according to James' affidavit. "In addition, I believe that the novelty and rarity of this malware is evidence that only a small group of hackers knew of it and that they were working together."

The FBI says it first learned of Sakula malware in November 2012 and believes that the malware was only used by a single group.

"The intrusions ... involved variants of an uncommon malicious software tool known as 'Sakula.' The intrusions also used the overlapping use of other hacking tools, techniques, internet protocol ('IP') addresses, email accounts and domain names. For these reasons, the FBI believes the same group of conspirators was responsible for the intrusions."

Emails allegedly sent by Yu in 2011 make reference to the malware and describe how a legitimate Microsoft domain in Korea used to download software updates has been compromised.

Email exchange translated from Chinese, that occurred on July 27, 2011, between goldsun84823714@gmail.com - an email account allegedly used by Yu - and an unnamed co-conspirator. (Source: FBI affidavit)

At least one strain of Sakula "was configured to beacon" - announce infected endpoints - to that domain, James writes in the affidavit.

Bad Breaches: OPM, Anthem

While Sakura might be rare, it was used in the OPM breach, which exposed the personal information of more than 22 million individuals, including background checks containing sensitive information (see Analysis: Why the OPM Breach Is So Bad).

Meanwhile, the breach of Anthem - formerly known as Wellpoint - exposed personally identifiable information for nearly 80 million people in the United States (see Anthem Attribution to China: Useful?).

The material obtained in either breach could have been used to blackmail Americans, including government employees and senior officials, security experts warned.

Attacks Trace to China

Threat-intelligence research firm ThreatConnect was the first organization to publicly report that Sakula was used in the breach of health insurer Anthem, as well as in a failed phishing attack against U.S. defense contractor VAE. The group that used Sakula tended to employ an elaborate "lookalike" attack infrastructure - meant to mimic the actual networks used by their targets.

The FBI's affidavit also details this alleged approach.

"Defendant Yu and co-conspirators in the PRC [People's Republic of China] would establish an infrastructure of domain names, IP addresses, accounts with Internet service providers, and websites to facilitate hacks of computer networks operated by companies in the United States and elsewhere," according to the affidavit. "Defendant Yu and co-conspirators in the PRC would use elements of that infrastructure and a variety of techniques, including watering hole attacks, to surreptitiously install or attempt to install files and programs on the computer networks of companies in the United States and elsewhere."

Information security expert Matt Tait, a senior fellow at the Robert Strauss Center for International Security and Law in Austin, Texas, who tweets as @pwnallthethings, says the Sakula group's attacks also targeted at least one French aerospace firm as part of what security firms dub the Aurora Panda attacks.

China Blames Criminals

The FBI directly blamed the OPM breach on Chinese government hackers. Government officials in China, while acknowledging that the hack was perpetrated by individuals in China, claimed that they were criminals and not working for the Chinese government or military. Many U.S. officials, however, maintain that it was an act of espionage.

The FBI's affidavit against Yu, charging him with conspiracy to commit computer hacking, does not call out the Chinese government. But it alleges that Yu's collaborators were based in China.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network