Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

FBI alert discloses malware tied to the OPM and Anthem attacks

Steve Ragan | July 2, 2015
Memo reveals 312 different hashes for the Sakula malware.

The security problems over at the Office of Personnel Management (OPM) are still the leading story in the news lately.

Just last week the public learned that the breach might impact up to 32 million people, including current, former, and prospective federal employees.

Moreover, the FBI released a memo earlier this month outlining the malware used in the attack, which has ties to the attack at Anthem.

The new figure of 32 million people is linked to the fiscal 2016 budget proposal for the OPM, which says in part that the agency has banking information on 2 million people, and background investigation details on 30 million.

However, when asked for figures, OPM Director Katherine Archuleta refused to offer exact numbers in public hearings.

The big hoopla surrounding the OPM breach is that China was named as the top suspect, but no one will come out on record to say it officially. Assuming they are behind the incident, then this isn't a case of financial fraud -- this is espionage. Given that the OPM stored tens of millions of SF-86 forms (needed to obtain security clearance), the amount of raw data obtained by the attackers is staggering.

Another thought, for those of us who wear tinfoil hats -- what if records were not only taken, but some were added as well? Would the OPM be able to tell? The attackers had at least a year of unchecked access on the network -- plenty of time for someone to do whatever they wanted.

More technical details:

On June 5, the FBI released a memo detailing the malware used by actors that have "compromised and stolen sensitive business information and Personal Identifiable Information (PII)."

While Anthem and the OPM are not mentioned by name in the high confidence alert by the FBI, the timing can't be a coincidence. The key link though is the malware itself -- Sakula.

The memo mentions Sakula directly, and includes 312 hashes of the malware. It isn't clear if the hashes have been collected recently from systems at the OPM or Anthem however. While it's possible they were - believable too - there isn't any evidence supporting that line of thought.

Sakula is a RAT (Remote Access Trojan) and it's been linked to the Anthem breach earlier this year by ThreatConnect, who concluded that the malware was using a stolen digital signature from the Korean company DTOPTOOLZ Co. and configured to communicate with extcitrix.we11point[.]com and www.we11point[.]com. -- two command and control (C2) domains used by the attackers.

"Passive DNS and historic DomainTools Whois data also provided insights that helped establish an initial timeline dating back to April 2014, when the faux domains came into existence and were later operationalized by the attackers," ThreatConnect explained.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.