Attacks/Breaches

8/25/2017
02:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Chinese National with Possible Links to OPM Breach Arrested

Charging documents reveal sophistication - and a surprising degree of sloppiness.

The arrest of an individual believed connected to the massive data breach at the US Office of Personnel Management (OPM) in 2014 has revealed both the sophistication of the operation and the suspect's almost surprising sloppiness in protecting his identity.

The FBI on Thursday arrested Chinese national Yu Pingan on charges of distributing and using a variety of malware tools including the Sakula malware associated with the OPM attack. The same tool was also used in the attack on health insurer Anthem that resulted in the breach of 80 million records containing highly sensitive data.

Yu is accused of working with two unnamed and as yet uncharged co-conspirators in China to install malware on the networks of at least four organizations, identified in the charging papers as merely Companies A, B, C, and D. He was arrested in Los Angeles after apparently arriving there to attend a conference.

Details provided in the government's compliant show that between May 2012 and January 2013, Yu and has associates deployed as many as five Internet Explorer zero-days on a server hosting a website that was used in watering hole attacks (CVE-2012-4969, CVE-2012-4792CVE-2014-0322, and CVE-2012-84792)

The website distributed a variety of malware tools, including Sakula and variants such as mediacenter.exe, to more than 370 unique IP addresses in the United States.

The Sakula variants that Yu and his associates are accused of installing were configured to beacon to a legitimate Microsoft domain in Korea that was used to download software updates for Microsoft products. The government believes that Yu and one of the unnamed co-conspirators broke into Microsoft's legitimate domain in Korea and modified it to point to malicious IP addresses that they controlled.

The breach at OPM continues to be one of the largest — and easily one of the most impactful —ever of any US government entity. In two separate intrusions, threat actors believed to be operating out of China stole personnel records belonging to over 20 million current and former government employees. In addition to the usual Social Security Numbers and birthdates and other personal data associated with such breaches, the incidents at OPM also resulted in data connected to employee background investigations such as health, financial, criminal history, and fingerprint data.

Marcus Christian, an attorney at Mayer Brown and a former prosecutor at the US Attorney’s Office for the Southern District of Florida, says the arrest is very significant not just for the charges that have been filed but what are yet to come. "One noteworthy aspect of the charging documents is that they indicate that the government is working with at least two alleged co-conspirators and may have secured the cooperation of others," which could result in more charges, he said.

The case is the latest in a growing series of prosecutions that demonstrate the federal government’s increasing focus on cybercrime. "Investigators are routinely reaching into jurisdictions around the globe to build cases and, when necessary, they are patiently waiting in friendly jurisdictions to make arrests," Christian said.

Interestingly the charging papers show that Yu did little to conceal his true identity when conspiring with his associates.

His communications with one of them, for instance, ties him directly to Sakula. Other seized communications tie him to exploits against the zero-days used in the watering hole attacks. The key that was used to decrypt a Sakula variant that had been encrypted, directly referenced the name "Goldsun," a handle that Yu regularly used and even acknowledged using in communications with one of his associates.

On more than one occasion his associates warned Yu about tipping off the FBI about his activities, but he appears to have done little to conceal his tracks.

“Many of the takeaways from this arrest are lessons for criminals in how not to get caught," including not using your real name in association with criminal activity, says John Bambanek, threat systems manager at Fidelis Cybersecurity. "The biggest lesson of all is that if you are going to participate in espionage against the United States, it's probably best you don't step foot in our country," he says.

"What I take away from this is that their level of sloppiness indicates a complacency that they don't have to protect themselves because they won't get caught," he says.

Rick Holland, vice president of strategy at Digital Shadows, adds that the arrest highlights why operation security is critical. "First, adversaries - even nation-state actors - aren't infallible. They make mistakes and leave breadcrumbs that can be used in an investigation."

Yu Pingan made mistakes and associated his personal information with his operations. "Security researchers, threat intel analysts, and incident responders who investigate intrusions need to keep this in mind. Given the #LeakTheAnalyst campaign, personal OPSEC is critical," Holland says.

Related Content:

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Coviello: Modern Security Threats are 'Less About the Techniques'
Kelly Sheridan, Staff Editor, Dark Reading,  4/24/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.