[BreachExchange] FBI Arrest Chinese National Linked to OPM Data Breach Malware

Audrey McNeil audrey at riskbasedsecurity.com
Thu Aug 24 21:53:32 EDT 2017


http://gizmodo.com/fbi-arrest-chinese-national-linked-to-
opm-data-breach-m-1798411342

A 36-year-old Chinese national was arrested in Los Angeles this week in
connection with a computer hacking conspiracy involving malware linked to
the 2014 US Office of Personnel Management (OPM) data breach.

Yu Pingan of Shanghai, China, was arrested on Wednesday while traveling at
Los Angeles International Airport. Also identified by the hacker pseudonym
“GoldSun,” Yu has been charged under the Computer Fraud and Abuse Act and
is further accused of conspiracy to commit offense or defraud the United
States.

According to an August 21 indictment, filed in the US District Court for
the Southern District of California, Yu collaborated with others, including
two unnamed individuals who have not been charged, to acquire and use
malware to facilitate cyberattacks against at least four unnamed US
companies. The incitement was accompanied by an affidavit signed by an
agent assigned to a cybercrime squad at the FBI San Diego Field Office.

The FBI has identified Yu’s co-conspirators as living in the People’s
Republic of China. A spokesperson for the agency could not be immediately
reached for a comment.

In a timeline laid out in the indictment, Yu is accused of discussing the
installation of a remote access trojan, or RAT, first at an unidentified
company in June 2011. Roughly a year later, a conspirator allegedly
installed malicious files on the network of a San Diego-based company. The
same company was allegedly attacked again on or before December 3, 2013.

A second company, based in Massachusetts, was allegedly attacked using
malware known as Sakula, which multiple security firms have tied to the OPM
attack—a data breach that involved records of millions of US citizens who
had undergone security clearance checks. China’s involvement was suspected
by US authorities, according to Washington Post sources at the time, though
attribution was never officially described by the Obama administration.

Chinese authorities have denied any involvement in the OPM attack. “The
Chinese government takes resolute strong measures against any kind of
hacking attack,” China’s Foreign Ministry told Reuters in 2015. “We oppose
baseless insinuations against China.”

Sakula was also used in the 2015 Anthem data breach, which involved the
potential theft of roughly 80 million individuals’ personal medical
records. Independent investigators concluded with medium confidence earlier
this year that the Anthem attack was likely carried out on behalf of a
foreign government. However, so far Anthem has not be cited in connection
with Yu’s arrest.

A third company based in Los Angeles is also said to have been breached by
Yu’s co-conspirators in December 2012. The attackers allegedly took
advantage of a then-unknown vulnerability in Microsoft’s Internet Explorer
which allowed for remote code execution and injection of the Sakula
malware. Yan was allegedly linked to the then-rare malware variant Sakula
through emails obtained by federal agents.

Sakula is also a known tool of China-based advanced persistent threat
nicknamed Deep Panda, or APT 19, which has been linked by security
researchers to both the OPM and Anthem attacks.

A fourth company, based in Arizona, was also allegedly attacked by two
unnamed and unindicted co-conspirators. Seized communications show that Yan
provided one of the co-conspirators malicious software as early as April
2011, according to this week’s indictment. The communications also
allegedly show that Yan informed the second co-conspirator of an exploit
for Adobe’s Flash software.

Later in 2011, Yan allegedly indicated via FBI-seized communications that
he had “compromised the legitimate Korean Microsoft domain used to download
software updates for Microsoft products,” and further indicated the hacked
site could be used to launch phishing attacks.

According to CNN, Yan was arrested after entering the US on Wednesday to
attend a conference.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170824/5fce3bbb/attachment.html>


More information about the BreachExchange mailing list