The FBI has disclosed that multiple hacker groups carried out the cyber attack that compromised the records of 4 million government workers in the networks of the Office of Personnel Management.
The FBI has obtained information regarding cyber actors who have compromised and stolen sensitive business information and personally identifiable information (PII)
Information obtained from victims indicates that PII was a priority target
Security analysts familiar with the OPM breach, disclosed in a notice last week, said two groups of Chinese state-sponsored hackers appear to be behind the cyber attacks, including one linked to the Chinese military that has been dubbed “Deep Panda.”
Deep Panda is a highly sophisticated Chinese military hacker unit that has been gathering data on millions of Americans. The group was linked in the past to the hacking of the health care provider Anthem that compromised the personal data of some 80 million customers.
The alert revealed that the software used by the hackers is called Sakula, which security analysts say was the Root Access Tool, or RAT, that was used by the Chinese in both the OPM and Anthem hacks.
Sakula software employs stolen, signed security certificates to gain unauthorized network access and analysts said the use of that technique requires cyber sophistication that is not known to be used outside of nation-state cyber forces.
One private sector cyber security specialist familiar with the OPM hack said that in addition to the government’s personnel database, other major cyber attacks believed to be carried out by Chinese hackers include clandestine intrusions into the networks of a major telecommunications company and a major aviation industry firm.
The hackers’ use of several domain names in the OPM hacking also are similar to domains used by Chinese cyber attackers in the past. The domains were identified as OPMsecurity.org and opm-learning.org.
Another signature linking the OPM hack to China was the hackers’ use of a program called Mimikatz that is used to gain high-level remote access to networks.
“Mimikatz is a classic of Deep Panda” in terms of tactics, techniques, and procedures, said a security analyst familiar with details of the attack. “This allows the actors to dump password hashes, perform pass the hash and ‘golden ticket’ attacks in the victim environment.”
The private security company CrowdStrike first identified Deep Panda and has called the group among the most sophisticated state-sponsored hackers.
China’s main military intelligence service that has been linked to cyber attacks is the Third Department of the General Staff, or 3PLA, which conducts cyber warfare.
