FBI alert discloses malware tied to the OPM and Anthem attacks

Memo reveals 312 different hashes for the Sakula malware

office of personnel management
Credit: REUTERS/James Lawler Duggan

The security problems over at the Office of Personnel Management (OPM) are still the leading story in the news lately.

Just last week the public learned that the breach might impact up to 32 million people, including current, former, and prospective federal employees.

Moreover, the FBI released a memo earlier this month outlining the malware used in the attack, which has ties to the attack at Anthem.

The new figure of 32 million people is linked to the fiscal 2016 budget proposal for the OPM, which says in part that the agency has banking information on 2 million people, and background investigation details on 30 million.

However, when asked for figures, OPM Director Katherine Archuleta refused to offer exact numbers in public hearings.

The big hoopla surrounding the OPM breach is that China was named as the top suspect, but no one will come out on record to say it officially. Assuming they are behind the incident, then this isn't a case of financial fraud – this is espionage. Given that the OPM stored tens of millions of SF-86 forms (needed to obtain security clearance), the amount of raw data obtained by the attackers is staggering.

Another thought, for those of us who wear tinfoil hats – what if records were not only taken, but some were added as well? Would the OPM be able to tell? The attackers had at least a year of unchecked access on the network – plenty of time for someone to do whatever they wanted.

More technical details:

On June 5, the FBI released a memo detailing the malware used by actors that have "compromised and stolen sensitive business information and Personal Identifiable Information (PII)."

While Anthem and the OPM are not mentioned by name in the high confidence alert by the FBI, the timing can't be a coincidence. The key link though is the malware itself – Sakula.

The memo mentions Sakula directly, and includes 312 hashes of the malware. It isn't clear if the hashes have been collected recently from systems at the OPM or Anthem however. While it's possible they were - believable too - there isn't any evidence supporting that line of thought.

Sakula is a RAT (Remote Access Trojan) and it's been linked to the Anthem breach earlier this year by ThreatConnect, who concluded that the malware was using a stolen digital signature from the Korean company DTOPTOOLZ Co. and configured to communicate with extcitrix.we11point[.]com and www.we11point[.]com. – two command and control (C2) domains used by the attackers.

"Passive DNS and historic DomainTools Whois data also provided insights that helped establish an initial timeline dating back to April 2014, when the faux domains came into existence and were later operationalized by the attackers," ThreatConnect explained.

More recently, anonymous sources who have spoken to Reuters have referenced other domains registered by those behind Sakula, including www.OPM-Learning[.]org, offering a link between the methods used in both cases.

In November of 2014, CrowdStrike reported on Deep Panda, a campaign focused on organizations in the government (including the U.S. Defense Industrial Base), healthcare, and technology sectors. The malware used by the Deep Panda campaign was Sakula, and the actors involved are believed to reside in China.

"Groups responsible for these activities have been observed across a variety of intrusions leveraging a diverse selection of tools and techniques to attempt to gain initial access to a victim including using credentials acquired during previous intrusions," the FBI memo notes.

The timing of the Deep Panda reports is interesting to note, because CrowdStrike first reported on the campaign in July 2014, which is when the OPM breach is believed to have started.

Sources who spoke anonymously to Reuters have said that the Anthem and OPM breaches are connected. Now that the FBI has confirmed the malware used, the connection between the two incidents is cleaner - but not perfect.

But even if they are connected, that doesn't fix the overall problems that led to the breaches in the first place. Anthem can and has started to clean up their act. The OPM however, has a long way to go, which is why rushing to fix blame on one country or another isn't the right response.

Attribution is useful in law enforcement cases, and clearly OPM meets that standard. Yet, the problems that enabled the OPM attackers are the bigger concern. Knowing China (assuming that's the case) attacked the OPM doesn't solve the problem if nothing's done to prevent it from happening again.

Instead of hearings in D.C. that are focused on blame and attribution, perhaps there should be hearings to address budget cuts and the lack of proper security staffing in critical areas of the government.

For those that get them, the FBI memo in question is A-000061, issued June 5, 2015.

This story, "FBI alert discloses malware tied to the OPM and Anthem attacks" was originally published by CSO.