Attacks/Breaches

8/25/2017
02:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Chinese National with Possible Links to OPM Breach Arrested

Charging documents reveal sophistication - and a surprising degree of sloppiness.

The arrest of an individual believed connected to the massive data breach at the US Office of Personnel Management (OPM) in 2014 has revealed both the sophistication of the operation and the suspect's almost surprising sloppiness in protecting his identity.

The FBI on Thursday arrested Chinese national Yu Pingan on charges of distributing and using a variety of malware tools including the Sakula malware associated with the OPM attack. The same tool was also used in the attack on health insurer Anthem that resulted in the breach of 80 million records containing highly sensitive data.

Yu is accused of working with two unnamed and as yet uncharged co-conspirators in China to install malware on the networks of at least four organizations, identified in the charging papers as merely Companies A, B, C, and D. He was arrested in Los Angeles after apparently arriving there to attend a conference.

Details provided in the government's compliant show that between May 2012 and January 2013, Yu and has associates deployed as many as five Internet Explorer zero-days on a server hosting a website that was used in watering hole attacks (CVE-2012-4969, CVE-2012-4792CVE-2014-0322, and CVE-2012-84792)

The website distributed a variety of malware tools, including Sakula and variants such as mediacenter.exe, to more than 370 unique IP addresses in the United States.

The Sakula variants that Yu and his associates are accused of installing were configured to beacon to a legitimate Microsoft domain in Korea that was used to download software updates for Microsoft products. The government believes that Yu and one of the unnamed co-conspirators broke into Microsoft's legitimate domain in Korea and modified it to point to malicious IP addresses that they controlled.

The breach at OPM continues to be one of the largest — and easily one of the most impactful —ever of any US government entity. In two separate intrusions, threat actors believed to be operating out of China stole personnel records belonging to over 20 million current and former government employees. In addition to the usual Social Security Numbers and birthdates and other personal data associated with such breaches, the incidents at OPM also resulted in data connected to employee background investigations such as health, financial, criminal history, and fingerprint data.

Marcus Christian, an attorney at Mayer Brown and a former prosecutor at the US Attorney’s Office for the Southern District of Florida, says the arrest is very significant not just for the charges that have been filed but what are yet to come. "One noteworthy aspect of the charging documents is that they indicate that the government is working with at least two alleged co-conspirators and may have secured the cooperation of others," which could result in more charges, he said.

The case is the latest in a growing series of prosecutions that demonstrate the federal government’s increasing focus on cybercrime. "Investigators are routinely reaching into jurisdictions around the globe to build cases and, when necessary, they are patiently waiting in friendly jurisdictions to make arrests," Christian said.

Interestingly the charging papers show that Yu did little to conceal his true identity when conspiring with his associates.

His communications with one of them, for instance, ties him directly to Sakula. Other seized communications tie him to exploits against the zero-days used in the watering hole attacks. The key that was used to decrypt a Sakula variant that had been encrypted, directly referenced the name "Goldsun," a handle that Yu regularly used and even acknowledged using in communications with one of his associates.

On more than one occasion his associates warned Yu about tipping off the FBI about his activities, but he appears to have done little to conceal his tracks.

“Many of the takeaways from this arrest are lessons for criminals in how not to get caught," including not using your real name in association with criminal activity, says John Bambanek, threat systems manager at Fidelis Cybersecurity. "The biggest lesson of all is that if you are going to participate in espionage against the United States, it's probably best you don't step foot in our country," he says.

"What I take away from this is that their level of sloppiness indicates a complacency that they don't have to protect themselves because they won't get caught," he says.

Rick Holland, vice president of strategy at Digital Shadows, adds that the arrest highlights why operation security is critical. "First, adversaries - even nation-state actors - aren't infallible. They make mistakes and leave breadcrumbs that can be used in an investigation."

Yu Pingan made mistakes and associated his personal information with his operations. "Security researchers, threat intel analysts, and incident responders who investigate intrusions need to keep this in mind. Given the #LeakTheAnalyst campaign, personal OPSEC is critical," Holland says.

Related Content:

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
Good Times in Security Come When You Least Expect Them
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  10/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.