OPM Hack: FBI Arrests Chinese National Accused Of Distributing Malware

A Chinese national was arrested by United States law enforcement this week and accused of providing hackers with malware that was used to breach computer networks belonging to American organizations.

Yu Pingan was taken into custody by the Federal Bureau of Investigation (FBI) on August 21. The 36-year-old Chinese citizen was stopped at the Los Angeles International Airport and taken into custody.

According to an August 21 indictment, filed in the US District Court for the Southern District of California, Yu—who is also referred to as “GoldenSun”—is accused of distributing malicious software to a pair of unnamed hackers. The hackers were not charged in the indictment.

The malware supposedly distributed by Yu was used in attacks launched against four U.S. companies between April 2011 and January 2014. While the companies are not named, the indictment notes they are located in San Diego, Los Angeles, Massachusetts and Arizona.

Yu supposedly began discussing the installation of a remote access trojan (RAT) with the apparent co-conspirators in 2011. In 2012, one of the hackers carried out the discussed attack against a company in San Diego—then hit the same company again late in 2013. Another attack carried out by the hackers hit a company in Massachusetts in January 2013.

That attack made use of a variant of the Sakula malware, a rarely used but extremely troublesome trojan that has been used in a number of high-profile, targeted attacks launched in the last decade.

An analysis of the trojan by SecureWorks found the attack often is disguised as a software updater for common programs from companies like Adobe and Microsoft. Once installed on a machine, the malware gives the attackers the ability to actively control the compromised system, download and execute additional malicious programs, and operate in plain sight without detection through obfuscation methods.

Sakula has been linked to a breach of the Office of Personnel Management. The attack, which hit the government organization in 2015, resulted in the exposure of personal information belonging to more than 21.5 million Americans who applied for security clearances to work for the government.

The same trojan has been attached to an attack against health insurance provider Anthem, which resulted in nearly 80 million personal medical records being leaked. It does not appear Anthem operates in any of the cities listed in the indictment and the company is not mentioned directly.

The United States never formally placed blame on China for the breach, but officials within the U.S. government long suspected the involvement of the country. The arrest and indictment of Yu may suggest evidence of such involvement, if not from the Chinese government than of a Chinese citizen.

The Chinese government, for its part, has repeatedly denied having any involvement in the OPM breach.

“Chinese law prohibits hacking attacks and other such behaviors which damage Internet security,” China’s Foreign Ministry said in a statement to Reuters in 2015. “The Chinese government takes resolute strong measures against any kind of hacking attack. We oppose baseless insinuations against China.”