Justice officials arrested Yu Pingan of Shanghai on Monday for supplying malware that has been connected to the 2015 Office of Personnel Management (OPM) breach in 2015.
“On August 21, 2017, Yu Pingan was arrested at Los Angeles International Airport based on a Southern District of California criminal complaint,” a Department of Justice press representative confirmed to MeriTalk.
Though the complaint does not specifically refer to the OPM breach, security researchers have tied the malware used in the complaint, Sakula, to the hack on OPM. According to a June 2015 FBI Flash on the malicious tool, the theft of Personally Identifiable information (PII), which was also stolen in the OPM breach, was a priority target for the Sakula hackers.
A June 2015 Threat Connect blog ties the Sakula malware to a Chinese threat actor, which also targeted parts of the health sector and a Virginia-based defense contractor VAE, Inc.
“We can strongly tie malicious infrastructure that maintains an Office of Personnel Management (OPM) theme to registration patterns observed with the faux VAE, Inc. themed infrastructure,” the blog said.
“Beginning in or about April 2011, and continuing up to and including on 27 or about January 17, 2014, within the Southern District of California and elsewhere, defendant YU Pinga did knowingly, intentionally, and willfully agree and conspire with other persons known and unknown, including Uncharged Coconspirators (“UCC”) 1 and 2, to cause the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally cause damage without authorization to a protected computer, including a loss of at least $5,000,” an August 21 indictment says. “Defendant YU and co-conspirators in the [People’s Republic of China] would acquire and use malicious software tools, some of which were rare variants previously unidentified by the FBI and information security community, including a malicious software tool known as ‘Sakula.’”
The indictment lists four unnamed victims of the hacks, which occurred between 2010 and 2015.
“At the time of this malicious activity and those described below, Sakula was a new and rare malicious software tool. The only previous use of Sakula documented by the FBI occurred on or about November 21, 2012,” FBI special agent Adam R. James said in the affidavit attached to the indictment. “For reasons discussed below, seized emails tie YU and UCC #I to this previously unknown malware. In addition, I believe that the novelty and rarity of this malware is evidence that only a small group of hackers knew of it and that they were working together.”
James added that, based on his knowledge of the case, he believed that Yu provided malware to UCC 1 and knew that it would be used to compromise U.S. networks.
The indictment includes a section stating that, in the instance of Yu’s conviction in court, “any personal property that was used or intended to be used to commit or to facilitate the commission of the offense” shall be forfeited. This forfeiture could lend insight into how the Sakula-based hacks were conducted.