More recently, anonymous sources who have spoken to Reuters have referenced other domains registered by those behind Sakula, including www.OPM-Learning[.]org, offering a link between the methods used in both cases.
In November of 2014, CrowdStrike reported on Deep Panda, a campaign focused on organizations in the government (including the U.S. Defense Industrial Base), healthcare, and technology sectors. The malware used by the Deep Panda campaign was Sakula, and the actors involved are believed to reside in China.
"Groups responsible for these activities have been observed across a variety of intrusions leveraging a diverse selection of tools and techniques to attempt to gain initial access to a victim including using credentials acquired during previous intrusions," the FBI memo notes.
The timing of the Deep Panda reports is interesting to note, because CrowdStrike first reported on the campaign in July 2014, which is when the OPM breach is believed to have started.
Sources who spoke anonymously to Reuters have said that the Anthem and OPM breaches are connected. Now that the FBI has confirmed the malware used, the connection between the two incidents is cleaner - but not perfect.
But even if they are connected, that doesn't fix the overall problems that led to the breaches in the first place. Anthem can and has started to clean up their act. The OPM however, has a long way to go, which is why rushing to fix blame on one country or another isn't the right response.
Attribution is useful in law enforcement cases, and clearly OPM meets that standard. Yet, the problems that enabled the OPM attackers are the bigger concern. Knowing China (assuming that's the case) attacked the OPM doesn't solve the problem if nothing's done to prevent it from happening again.
Instead of hearings in D.C. that are focused on blame and attribution, perhaps there should be hearings to address budget cuts and the lack of proper security staffing in critical areas of the government.
For those that get them, the FBI memo in question is A-000061, issued June 5, 2015.
Sign up for CIO Asia eNewsletters.