Attacks/Breaches

8/25/2017
02:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Chinese National with Possible Links to OPM Breach Arrested

Charging documents reveal sophistication - and a surprising degree of sloppiness.

The arrest of an individual believed connected to the massive data breach at the US Office of Personnel Management (OPM) in 2014 has revealed both the sophistication of the operation and the suspect's almost surprising sloppiness in protecting his identity.

The FBI on Thursday arrested Chinese national Yu Pingan on charges of distributing and using a variety of malware tools including the Sakula malware associated with the OPM attack. The same tool was also used in the attack on health insurer Anthem that resulted in the breach of 80 million records containing highly sensitive data.

Yu is accused of working with two unnamed and as yet uncharged co-conspirators in China to install malware on the networks of at least four organizations, identified in the charging papers as merely Companies A, B, C, and D. He was arrested in Los Angeles after apparently arriving there to attend a conference.

Details provided in the government's compliant show that between May 2012 and January 2013, Yu and has associates deployed as many as five Internet Explorer zero-days on a server hosting a website that was used in watering hole attacks (CVE-2012-4969, CVE-2012-4792CVE-2014-0322, and CVE-2012-84792)

The website distributed a variety of malware tools, including Sakula and variants such as mediacenter.exe, to more than 370 unique IP addresses in the United States.

The Sakula variants that Yu and his associates are accused of installing were configured to beacon to a legitimate Microsoft domain in Korea that was used to download software updates for Microsoft products. The government believes that Yu and one of the unnamed co-conspirators broke into Microsoft's legitimate domain in Korea and modified it to point to malicious IP addresses that they controlled.

The breach at OPM continues to be one of the largest — and easily one of the most impactful —ever of any US government entity. In two separate intrusions, threat actors believed to be operating out of China stole personnel records belonging to over 20 million current and former government employees. In addition to the usual Social Security Numbers and birthdates and other personal data associated with such breaches, the incidents at OPM also resulted in data connected to employee background investigations such as health, financial, criminal history, and fingerprint data.

Marcus Christian, an attorney at Mayer Brown and a former prosecutor at the US Attorney’s Office for the Southern District of Florida, says the arrest is very significant not just for the charges that have been filed but what are yet to come. "One noteworthy aspect of the charging documents is that they indicate that the government is working with at least two alleged co-conspirators and may have secured the cooperation of others," which could result in more charges, he said.

The case is the latest in a growing series of prosecutions that demonstrate the federal government’s increasing focus on cybercrime. "Investigators are routinely reaching into jurisdictions around the globe to build cases and, when necessary, they are patiently waiting in friendly jurisdictions to make arrests," Christian said.

Interestingly the charging papers show that Yu did little to conceal his true identity when conspiring with his associates.

His communications with one of them, for instance, ties him directly to Sakula. Other seized communications tie him to exploits against the zero-days used in the watering hole attacks. The key that was used to decrypt a Sakula variant that had been encrypted, directly referenced the name "Goldsun," a handle that Yu regularly used and even acknowledged using in communications with one of his associates.

On more than one occasion his associates warned Yu about tipping off the FBI about his activities, but he appears to have done little to conceal his tracks.

“Many of the takeaways from this arrest are lessons for criminals in how not to get caught," including not using your real name in association with criminal activity, says John Bambanek, threat systems manager at Fidelis Cybersecurity. "The biggest lesson of all is that if you are going to participate in espionage against the United States, it's probably best you don't step foot in our country," he says.

"What I take away from this is that their level of sloppiness indicates a complacency that they don't have to protect themselves because they won't get caught," he says.

Rick Holland, vice president of strategy at Digital Shadows, adds that the arrest highlights why operation security is critical. "First, adversaries - even nation-state actors - aren't infallible. They make mistakes and leave breadcrumbs that can be used in an investigation."

Yu Pingan made mistakes and associated his personal information with his operations. "Security researchers, threat intel analysts, and incident responders who investigate intrusions need to keep this in mind. Given the #LeakTheAnalyst campaign, personal OPSEC is critical," Holland says.

Related Content:

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.