Sakula Malware Used in Both Anthem and Office of Personnel Management Breaches
The FBI has arrested a Chinese national on charges that he was a “malware broker” who distributed a remote-access Trojan called Sakula. The malware has been tied to multiple mega-breaches, including attacks against health insurer Anthem and U.S. Office of Personnel Management.
See Also: How to Scale Your Vendor Risk Management Program
Yu Pingan, 36, of Shanghai, was arrested Wednesday after he flew to the United States to attend an unnamed conference, CNN reports.
The FBI could not be immediately reached for comment, but the bureau confirmed the arrest to CNN.
A complaint against Yu Pingan, a.k.a. “GoldSun,” was filed Monday and unsealed Tuesday.
Sakula malware was the focus of an FBI Flash Alert published in June 2015. The malware was also detailed in a 2015 blog post published by Airbus.
The malware was used in the OPM breach – one of the worst breaches to have ever effected the U.S. government. It resulted in the exposure of millions of government workers’ Social Security numbers, as well as security clearance forms filled with detailed and often extremely private personal information.
An FBI affidavit related to Yu’s arrest accuses him of distributing Sakula malware. The affidavit also ties the malware to intrusions of at least four unnamed companies: “San Diego-based company A, Massachusetts-based company B, Los Angeles-based company C, and Arizona-based company D.” The intrusions allegedly began around 2010 for company C, and continued in some cases until July 2015, for company B.
The FBI says attackers utilized watering hole attacks – infecting a site they suspected victims would visit with malware – and made use of zero-day exploits.
“The intrusion into company C began in approximately January 2010,” reads the affidavit, submitted by FBI Special Agent Adam James, a former information security consultant who works from the FBI’s San Diego field office and has investigated cybercrime for the bureau since 2010.
“In September 2012, malicious files were installed on company C’s web server (the server that hosts the company’s website) as part of a watering hole attack that, between Sept. 18, 2012 and Sept. 19, 2012, distributed malicious code to 147 unique U.S.-based IP addresses, using a zero-day exploit now known as CVE-2012-4969. Between May 2012 and January 2013, Company C’s web server hosted no less than five variants of Internet Explorer zero-day exploits.”
Yu Allegedly Detailed Malware via Gmail
Attacks that utilize Sakula malware are relatively rare, and the FBI says it has evidence showing Yu discussing the malware before it was ever seen used in attacks.
“Seized emails tie YU and UCC [uncharged co-conspirator] #1 to this previously unknown malware,” according to James’ affidavit. “In addition, I believe that the novelty and rarity of this malware is evidence that only a small group of hackers knew of it and that they were working together,” James writes.
The FBI says it first learned of Sakula malware in November 2012 and believe that the malware was only used by a single group.
“The intrusions … involved variants of an uncommon malicious software tool known as ‘Sakula.’ The intrusions also used the overlapping use of other hacking tools, techniques, internet protocol (“IP”) addresses, email accounts and domain names. For these reasons, the FBI believes the same group of conspirators was responsible for the intrusions.”
Emails allegedly sent by Yu in 2011 make reference to the malware and describe how a legitimate Microsoft domain in Korea used to download software updates has been compromised.
At least one strain of Sakula “was configured to beacon” – announce infected endpoints – to that domain, James writes in the affidavit.
Bad Breaches: OPM, Anthem
While Sakura might be rare, it was used in the OPM breach, which exposed the personal information of more than 22 million individuals, including background checks containing sensitive information (see Analysis: Why the OPM Breach Is So Bad).
Meanwhile, the breach of Anthem – formerly known as Wellpoint – exposed personally identifiable information for nearly 80 million people in the United States (see Anthem Attribution to China: Useful?).
The material obtained in either breach could have been used to blackmail Americans, including government employees and senior officials, security experts warned.
Attacks Trace to China
Threat-intelligence research firm ThreatConnect was the first organization to publicly report that Sakula was used in the breach of health insurer Anthem, as well as in a failed phishing attack against U.S. defense contractor VAE. The group that used Sakula tended to employ an elaborate “lookalike” attack infrastructure – meant to mimic the actual networks used by their targets.
The FBI’s affidavit also details this alleged approach.
“Defendant Yu and co-conspirators in the PRC [People’s Republic of China] would establish an infrastructure of domain names, IP addresses, accounts with Internet service providers, and websites to facilitate hacks of computer networks operated by companies in the United States and elsewhere,” according to the affidavit. “Defendant Yu and co-conspirators in the PRC would use elements of that infrastructure and a variety of techniques, including watering hole attacks, to surreptitiously install or attempt to install files and programs on the computer networks of companies in the United States and elsewhere.”
Information security expert Matt Tait, a senior fellow at the Robert Strauss Center for International Security and Law in Austin, Texas, who tweets as @pwnallthethings, says the Sakula group’s attacks also targeted at least one French aerospace firm as part of what security firms dub the Aurora Panda attacks.
Regarding the Yu arrest, the malware and operations he did were part of “Aurora Panda” attacks on French aerospace https://t.co/cgAXb0cJpV
— Pwn All The Things (@pwnallthethings) August 24, 2017
China Blames Criminals
The FBI directly blamed the OPM breach on Chinese government hackers. Government officials in China, while acknowledging that the hack was perpetrated by individuals in China, claimed that they were criminals and not working for the Chinese government or military. Many U.S. officials, however, maintain that it was an act of espionage.
The FBI’s affidavit against Yu, charging him with conspiracy to commit computer hacking, does not call out the Chinese government. But it alleges that Yu’s collaborators were in China.