A Chinese fella has been accused by the FBI of being a key team member in the hacking crew that took down the US Office of Personnel Management (OPM).
Yu Pingan was cuffed at Los Angeles international airport by the Feds and this week charged with computer hacking.
The OPM infiltration, first discovered in 2015, was a massive embarrassment to the US government. Hackers stole paperwork for security background checks on 21.56 million individuals – including the fingerprint records for 5.6 million of them – and the personnel files of 4.2 million former and current US government employees. It caused the resignation of then-OPM boss Katherine Archuleta.
Yu is accused of selling the Sakula malware that was used in the OPM attack. Sakula was at that time a very rare piece of malware indeed, which is just what you need to stay under the radar. Yu, a Chinese national from Shanghai, was apparently arrested at Los Angeles airport after attending a conference in the US.
According to Yu's indictment [PDF], the Chinese national hacked into four separate US companies in Massachusetts, Arizona, San Diego and Los Angeles. He is accused of using a mixture of rare malware (primarily from the Sakula family of attack code) and infiltrating through improperly patched browsers to work his way into their servers.
The attack came to light in August 2012, when one of the companies found several pieces of advanced malware on its servers and called in the FBI. Upon examination it was found to be communicating with malware in a second company that had been put on an otherwise legitimate website and could worm through a poorly patched browser.
In a single day in February 2012, this malware had managed to infect 147 people who visited the company's website by using a then-zero day exploit (now called CVE-2012-4969) in Internet Explorer. Between May 2012 and January 2013, five different zero-day vulnerabilities were exploited by malware on the company's website.
By June 7, 2013, the third company also had its website infected with a very rare variant of Sakula. In all three cases, the malware was communicating with a single command and control beacon.
Finally, on December 14, 2012 the fourth company got hit, this time with PlugX malware that contained – among other nasties – a keylogging component. The software then stole a large number of files and sent them back to its controller, along with a lot of keylogging data.
The Feds say that they have seized communications between Yu – who is supposed to have gone under the handle GoldSon – and handlers in China from at least April 2011 that discussed the hacking and use of malware. The FBI claims Yu used the email firstname.lastname@example.org and that a decryption key found on one of the Sakula malware samples was 'Goldsunfucker."
Yu is accused of supplying advanced malware to the unnamed Chinese crook, who then hijacked a legitimate domain run by Microsoft in Korea. He allegedly claims that the associate's use of Sakula could cause blowback onto him, and it appears he was right.
If the Feds are correct, Yu was the malware writer who made the OPM attack possible, although it must be said that the pitifully poor state of security at the government agency made the attack much, much easier to pull off. ®