- Fotolia

Alleged Sakula malware attacker arrested by FBI

The FBI arrested Chinese national Yu Pingan for alleged involvement with cyberattacks using the Sakula malware, the same malware reportedly used in the OPM breach.

The FBI arrested a Chinese national in connection with cyberattacks utilizing the Sakula malware, however reports claiming a connection to the OPM breach are being questioned by experts.

The indictment alleged that Yu Pingan, aka GoldSun, was a "malware broker" in the People's Republic of China (PRC), who acquired and used malicious software tools, including the Sakula malware. Yu and co-conspirators were accused of gathering IP addresses of companies in the U.S. and elsewhere and attempting to use "a variety of techniques, including watering hole attacks, to surreptitiously install or attempt to install files and programs on the computer networks of companies."

Yu was arrested in Los Angeles on Wednesday Aug. 23, 2017 when he entered the U.S. to attend a conference. CNN first reported the arrest.

Early reports concerning the indictment have noted that the Sakula malware was allegedly used in the OPM breach, despite previous reports that the Chinese government arrested the two hackers behind the OPM breach in late 2015. Additionally, the connection between Yu's indictment and that attack isn't supported by the details of the indictment. The charges filed lists attacks spanning from April 17, 2011 to January 17, 2014, including alleged attacks on four U.S. companies.

According to the investigation by the House Oversight and Government Reform committee, the two attackers connected to the OPM breach initially infiltrated government systems in July 2012 and May 2014; neither date appears in Yu's indictment.

News reports have also drawn connections between the Sakula malware and the OPM breach. The source of that inference was an FBI Flash Alert from June 5, 2015, detailing the Sakula malware and released the same day the news of the OPM breach was first reported. However, the alert did not mention OPM or the Anthem breach, which was also alleged at the time to be the work of the same threat actors as the OPM breach.

When asked for clarification, an FBI spokesperson told SearchSecurity, "We don't have anything to provide other than pointing you to the publicly available information found in the unsealed court documents."

Experts debate Sakula malware connection

Security research firms CrowdStrike and FireEye tracked the Sakula malware, and said it was connected to a number of cyberattacks, the last of which was in 2015.

Adam Meyers, vice president of intelligence at CrowdStrike, noted that his firm has no evidence that the Sakula malware was connected to the OPM breach.

"Sakula malware was used by PRC-linked actors in a multi-year campaign targeting global aerospace targets and associated industries. The malware was continuously developed during that time and may have been used by multiple actors associated with the PRC," Meyers told SearchSecurity. "At this time CrowdStrike has not linked the recent indictment to the 2014 OPM breach."

Barry Vengerik, senior principal threat analyst at FireEye, said his firm observed Sakula malware usage by the threat group it tracks as APT26, "as well as a smaller separate group that was involved in the reported activity at OPM."

"We observed Sakula (which we call Viper), used by two, possibly three groups, one of which was tied to the activity at OPM. The vast majority of the observed usage was by APT26, whose activity is described in this indictment," Vengerik told SearchSecurity via email. "The majority of the observed activity was in the U.S., however we also observed defense industry targets in Europe. We also observed additional Viper activity against un-identified targets in Korea."

Next Steps

Learn the pros and cons of reporting ransomware attacks to the FBI.

Find out how FBI cyber investigations handle obfuscation techniques.

Get info on dark web market shutdowns that could lead to more arrests. 

Dig Deeper on Security operations and management