FBI Arrests Chinese Hacker With Links to OPM and Anthem Breaches | eWeek

FBI Arrests Chinese Hacker With Possible Links to OPM Breach

DOJ hackers 2
Aug 25, 2017
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

The FBI arrested a Chinese national identified as Yu Pingan on Aug. 21, alleging he was involved in the creation of malware that has impacted multiple U.S. organizations. Pingan was arrested in Los Angeles, where he was attending a conference.

Pingan, who is also known by the alias “GoldSun,” has been charged with one count of conspiracy computer hacking, according to a Department of Justice indictment.

The DoJ complaint alleges Pingan was a malware broker in the People’s Republic of China (PRC) and from April 2011 until January 2014 transmitted malware code that was used in attacks against multiple organizations. The legal complaint does not identify the victims by name, but rather just as Companies A,B,C and D.


Pingan did not act alone, and the legal complaint states that he allegedly acted together with co-conspirators in China, though his collaborators have not been explicitly identified by the DoJ. The DoJ alleges that Pingan and his co-conspirators in the PRC used a malware tool known as Sakula to conduct their operations.

The indictment also alleges that Pingan had access to multiple zero-day exploits, including CVE-2012-4969, CVE-2012-4792 and CVE-2014-0322, that were used by the Sakula malware and its variants.

“No later than Dec. 12, 2012, malicious files were installed on Company C’s web server as part of a watering hole attack, that, between Dec. 12 2012 and Jan. 1, 2013, distributed malicious code to 377 unique U.S.-based IP addresses,” the complaint stated. “This attack used the Sakula malicious software (malware) to compromise networks assigned these IP addresses.”

The indictment claims that Pingan and his co-conspirators engaged in multiple such watering hole attacks, whereby compromising one server led to the exploit of multiple additional systems that regularly connected to the server.

The Sakula malware has previously been linked to the Anthem breach in 2015 as well as the breach at the U.S. Office of Personnel Management (OPM). The Anthem breach exposed at least 80 million Americans to risk as their health-care insurance information was exposed. The OPM breach exposed information on 25.7 million Americans. Back in July 2015, a report alleged that the same group was behind both the Anthem and OPM breaches, as well as a breach at United Airlines. At the time, the group behind the data breaches was identified as being based in China.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.