FBI alert discloses malware tied to the OPM and Anthem attacks

The security problems over at the Office of Personnel Management (OPM) are still the leading story in the news lately.

Just last week the public learned that the breach might impact up to 32 million people, including current, former, and prospective federal employees.

Moreover, the FBI released a memo earlier this month outlining the malware used in the attack, which has ties to the attack at Anthem.

The new figure of 32 million people is linked to the fiscal 2016 budget proposal for the OPM, which says in part that the agency has banking information on 2 million people, and background investigation details on 30 million.

However, when asked for figures, OPM Director Katherine Archuleta refused to offer exact numbers in public hearings.

The big hoopla surrounding the OPM breach is that China was named as the top suspect, but no one will come out on record to say it officially. Assuming they are behind the incident, then this isn't a case of financial fraud -- this is espionage. Given that the OPM stored tens of millions of SF-86 forms (needed to obtain security clearance), the amount of raw data obtained by the attackers is staggering.

Another thought, for those of us who wear tinfoil hats -- what if records were not only taken, but some were added as well? Would the OPM be able to tell? The attackers had at least a year of unchecked access on the network -- plenty of time for someone to do whatever they wanted.

More technical details:

On June 5, the FBI released a memo detailing the malware used by actors that have "compromised and stolen sensitive business information and Personal Identifiable Information (PII)."

While Anthem and the OPM are not mentioned by name in the high confidence alert by the FBI, the timing can't be a coincidence. The key link though is the malware itself -- Sakula.

The memo mentions Sakula directly, and includes 312 hashes of the malware. It isn't clear if the hashes have been collected recently from systems at the OPM or Anthem however. While it's possible they were - believable too - there isn't any evidence supporting that line of thought.

Sakula is a RAT (Remote Access Trojan) and it's been linked to the Anthem breach earlier this year by ThreatConnect, who concluded that the malware was using a stolen digital signature from the Korean company DTOPTOOLZ Co. and configured to communicate with extcitrix.we11point[.]com and www.we11point[.]com. -- two command and control (C2) domains used by the attackers.

"Passive DNS and historic DomainTools Whois data also provided insights that helped establish an initial timeline dating back to April 2014, when the faux domains came into existence and were later operationalized by the attackers," ThreatConnect explained.

More recently, anonymous sources who have spoken to Reuters have referenced other domains registered by those behind Sakula, including www.OPM-Learning[.]org, offering a link between the methods used in both cases.

In November of 2014, CrowdStrike reported on Deep Panda, a campaign focused on organizations in the government (including the U.S. Defense Industrial Base), healthcare, and technology sectors. The malware used by the Deep Panda campaign was Sakula, and the actors involved are believed to reside in China.

"Groups responsible for these activities have been observed across a variety of intrusions leveraging a diverse selection of tools and techniques to attempt to gain initial access to a victim including using credentials acquired during previous intrusions," the FBI memo notes.

The timing of the Deep Panda reports is interesting to note, because CrowdStrike first reported on the campaign in July 2014, which is when the OPM breach is believed to have started.

Sources who spoke anonymously to Reuters have said that the Anthem and OPM breaches are connected. Now that the FBI has confirmed the malware used, the connection between the two incidents is cleaner - but not perfect.

But even if they are connected, that doesn't fix the overall problems that led to the breaches in the first place. Anthem can and has started to clean up their act. The OPM however, has a long way to go, which is why rushing to fix blame on one country or another isn't the right response.

Attribution is useful in law enforcement cases, and clearly OPM meets that standard. Yet, the problems that enabled the OPM attackers are the bigger concern. Knowing China (assuming that's the case) attacked the OPM doesn't solve the problem if nothing's done to prevent it from happening again.

Instead of hearings in D.C. that are focused on blame and attribution, perhaps there should be hearings to address budget cuts and the lack of proper security staffing in critical areas of the government.

For those that get them, the FBI memo in question is A-000061, issued June 5, 2015.

Join the CSO newsletter!

Error: Please check your email address.

Tags Anthemdisaster recoveryapplicationsOffice of Personnel Managementsoftwarefbi

More about C2CrowdStrikeFBIPanda

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts