Attacks/Breaches

8/25/2017
02:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Chinese National with Possible Links to OPM Breach Arrested

Charging documents reveal sophistication - and a surprising degree of sloppiness.

The arrest of an individual believed connected to the massive data breach at the US Office of Personnel Management (OPM) in 2014 has revealed both the sophistication of the operation and the suspect's almost surprising sloppiness in protecting his identity.

The FBI on Thursday arrested Chinese national Yu Pingan on charges of distributing and using a variety of malware tools including the Sakula malware associated with the OPM attack. The same tool was also used in the attack on health insurer Anthem that resulted in the breach of 80 million records containing highly sensitive data.

Yu is accused of working with two unnamed and as yet uncharged co-conspirators in China to install malware on the networks of at least four organizations, identified in the charging papers as merely Companies A, B, C, and D. He was arrested in Los Angeles after apparently arriving there to attend a conference.

Details provided in the government's compliant show that between May 2012 and January 2013, Yu and has associates deployed as many as five Internet Explorer zero-days on a server hosting a website that was used in watering hole attacks (CVE-2012-4969, CVE-2012-4792CVE-2014-0322, and CVE-2012-84792)

The website distributed a variety of malware tools, including Sakula and variants such as mediacenter.exe, to more than 370 unique IP addresses in the United States.

The Sakula variants that Yu and his associates are accused of installing were configured to beacon to a legitimate Microsoft domain in Korea that was used to download software updates for Microsoft products. The government believes that Yu and one of the unnamed co-conspirators broke into Microsoft's legitimate domain in Korea and modified it to point to malicious IP addresses that they controlled.

The breach at OPM continues to be one of the largest — and easily one of the most impactful —ever of any US government entity. In two separate intrusions, threat actors believed to be operating out of China stole personnel records belonging to over 20 million current and former government employees. In addition to the usual Social Security Numbers and birthdates and other personal data associated with such breaches, the incidents at OPM also resulted in data connected to employee background investigations such as health, financial, criminal history, and fingerprint data.

Marcus Christian, an attorney at Mayer Brown and a former prosecutor at the US Attorney’s Office for the Southern District of Florida, says the arrest is very significant not just for the charges that have been filed but what are yet to come. "One noteworthy aspect of the charging documents is that they indicate that the government is working with at least two alleged co-conspirators and may have secured the cooperation of others," which could result in more charges, he said.

The case is the latest in a growing series of prosecutions that demonstrate the federal government’s increasing focus on cybercrime. "Investigators are routinely reaching into jurisdictions around the globe to build cases and, when necessary, they are patiently waiting in friendly jurisdictions to make arrests," Christian said.

Interestingly the charging papers show that Yu did little to conceal his true identity when conspiring with his associates.

His communications with one of them, for instance, ties him directly to Sakula. Other seized communications tie him to exploits against the zero-days used in the watering hole attacks. The key that was used to decrypt a Sakula variant that had been encrypted, directly referenced the name "Goldsun," a handle that Yu regularly used and even acknowledged using in communications with one of his associates.

On more than one occasion his associates warned Yu about tipping off the FBI about his activities, but he appears to have done little to conceal his tracks.

“Many of the takeaways from this arrest are lessons for criminals in how not to get caught," including not using your real name in association with criminal activity, says John Bambanek, threat systems manager at Fidelis Cybersecurity. "The biggest lesson of all is that if you are going to participate in espionage against the United States, it's probably best you don't step foot in our country," he says.

"What I take away from this is that their level of sloppiness indicates a complacency that they don't have to protect themselves because they won't get caught," he says.

Rick Holland, vice president of strategy at Digital Shadows, adds that the arrest highlights why operation security is critical. "First, adversaries - even nation-state actors - aren't infallible. They make mistakes and leave breadcrumbs that can be used in an investigation."

Yu Pingan made mistakes and associated his personal information with his operations. "Security researchers, threat intel analysts, and incident responders who investigate intrusions need to keep this in mind. Given the #LeakTheAnalyst campaign, personal OPSEC is critical," Holland says.

Related Content:

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
Why the CISSP Remains Relevant to Cybersecurity After 28 Years
Steven Paul Romero, SANS Instructor and Sr. SCADA Network Engineer, Chevron,  11/6/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1786
PUBLISHED: 2018-11-12
IBM Spectrum Protect 7.1 and 8.1 dsmc and dsmcad processes incorrectly accumulate TCP/IP sockets in a CLOSE_WAIT state. This can cause TCP/IP resource leakage and may result in a denial of service. IBM X-Force ID: 148871.
CVE-2018-1798
PUBLISHED: 2018-11-12
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...
CVE-2018-1884
PUBLISHED: 2018-11-12
IBM Case Manager 5.2.0.0, 5.2.0.4, 5.2.1.0, 5.2.1.7, 5.3.0.0, and 5.3.3.0 is vulnerabile to a "zip slip" vulnerability which could allow a remote attacker to execute code using directory traversal techniques. IBM X-Force ID: 151970.
CVE-2018-19203
PUBLISHED: 2018-11-12
PRTG Network Monitor before 18.2.41.1652 allows remote unauthenticated attackers to terminate the PRTG Core Server Service via a special HTTP request.
CVE-2018-19204
PUBLISHED: 2018-11-12
PRTG Network Monitor before 18.3.44.2054 allows a remote authenticated attacker (with read-write privileges) to execute arbitrary code and OS commands with system privileges. When creating an HTTP Advanced Sensor, the user's input in the POST parameter 'proxyport_' is mishandled. The attacker can cr...