FBI Arrests Chinese Hacker With Possible Links to OPM Breach

The FBI alleges that the Chinese researcher helped to develop and distribute the Sakula malware, which has been linked to multiple large data breaches.

DOJ hackers 2

The FBI arrested a Chinese national identified as Yu Pingan on Aug. 21, alleging he was involved in the creation of malware that has impacted multiple U.S. organizations. Pingan was arrested in Los Angeles, where he was attending a conference.

Pingan, who is also known by the alias "GoldSun," has been charged with one count of conspiracy computer hacking, according to a Department of Justice indictment.

The DoJ complaint alleges Pingan was a malware broker in the People's Republic of China (PRC) and from April 2011 until January 2014 transmitted malware code that was used in attacks against multiple organizations. The legal complaint does not identify the victims by name, but rather just as Companies A,B,C and D.

Pingan did not act alone, and the legal complaint states that he allegedly acted together with co-conspirators in China, though his collaborators have not been explicitly identified by the DoJ. The DoJ alleges that Pingan and his co-conspirators in the PRC used a malware tool known as Sakula to conduct their operations.

The indictment also alleges that Pingan had access to multiple zero-day exploits, including CVE-2012-4969, CVE-2012-4792 and CVE-2014-0322, that were used by the Sakula malware and its variants.

"No later than Dec. 12, 2012, malicious files were installed on Company C's web server as part of a watering hole attack, that, between Dec. 12 2012 and Jan. 1, 2013, distributed malicious code to 377 unique U.S.-based IP addresses," the complaint stated. "This attack used the Sakula malicious software (malware) to compromise networks assigned these IP addresses."

The indictment claims that Pingan and his co-conspirators engaged in multiple such watering hole attacks, whereby compromising one server led to the exploit of multiple additional systems that regularly connected to the server.

The Sakula malware has previously been linked to the Anthem breach in 2015 as well as the breach at the U.S. Office of Personnel Management (OPM). The Anthem breach exposed at least 80 million Americans to risk as their health-care insurance information was exposed. The OPM breach exposed information on 25.7 million Americans. Back in July 2015, a report alleged that the same group was behind both the Anthem and OPM breaches, as well as a breach at United Airlines. At the time, the group behind the data breaches was identified as being based in China.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.