The FBI may have made its first arrest in connection with the hack that stole the data of 21.5 million current and former federal employees.
In a court filing on Sept. 21, the FBI arrested Pingan Yu, who they say is a malware broker in the People’s Republic of China (PRC).
The FBI alleges Yu supplied the malicious software tool known as “Sakula” to hackers. While the arrest documents do not specifically call out the attack against the Office of Personnel Management’s network, which stole personal information of federal employees and their families, intelligence officials and cyber experts have linked both China and the Sakula malware to the attack.
OPM announced the attack in June 2015.
Insight by ThunderCat Technology and Cisco: Federal technology experts provide insight into how video teleconferencing systems have evolved in importance during the pandemic in this exclusive executive briefing.
The sharing of Sakula is the strongest evidence that Yu is connected to the hack.
A second reason why this could be connected to the OPM hack is the charges brought against Yu include conspiracy to defraud the United States, which includes cheating the government out of money or property, obstructing government activity or making wrongful use of government instrumentality. The FBI also charged Yu under the computer hacking statute.
The FBI warned the public in a June 2015 alert about the Sakula malware. News reports at the time contended that the hackers who broke into OPM and Anthem’s systems used Sakula.
In the court filings, the FBI details how Yu and others allegedly attacked three separate unnamed companies.
“Defendant Yu and co-conspirators in the PRC would establish an infrastructure of domain names, IP addresses, accounts with Internet service providers, and websites to facilitate hacks of computer networks operated by companies in the United States and elsewhere,” the FBI wrote. “Defendant Yu and co-conspirators in the PRC would use elements of that infrastructure and a variety of techniques, including watering hole attacks, to surreptitiously install or attempt to install files and programs on the computer networks of companies in the United States and elsewhere, including but not limited to Company A, Company B, and Company C.”
The FBI says the initial efforts to break into organizations’ networks started in 2010, and purportedly installed Sakula on Company C’s network in January 2013. Yu and others also installed the malware on Company A and B’s networks in June and December 2013.
A House Oversight and Government Reform Committee report on the OPM hack from September 2016 said, “The first confirmed adversarial activity for both incidents came within a two-month span in November and December 2013.”
The FBI says in its court filings that it has seized emails that tie Yu and others to this previously unknown malware.
“In addition, I believe that the novelty and rarity of this malware is evidence that only a small group of hackers knew of it and that they were working together,” wrote Adam James, a FBI special agent who led the investigation.
The hack of OPM helped transform federal cyber efforts, leading to a cyber sprint and executive attention to IT security.
A recent example of these changes came earlier this summer when agencies fared much better than many other organizations when the WannaCry ransomware malware impacted more than 300,000 computers worldwide.
As for OPM, it initiated a 15-step improvement plan. A recent report by the Government Accountability Office found OPM fell short of implementing all 15 improvements detailed by the Homeland Security Department’s US-CERT. Specifically, auditors say OPM continues to struggle to encrypt data at rest and in transit. The agency also continues to fall short in meeting oversight requirements of contractor systems.
If Yu is convicted under the defraud charge, he would face fines of not more than $250,000 (not more than $500,000 for organizations). If Yu is convicted under the computer hacking charge, he would face imprisonment for no more than a year for simple cyberspace trespassing, to a maximum of life imprisonment when death results from intentional computer damage.