A 36-year-old Chinese national was arrested in Los Angeles this week in connection with a computer hacking conspiracy involving malware linked to the 2014 US Office of Personnel Management (OPM) data breach.
Yu Pingan of Shanghai, China, was arrested on Wednesday while traveling at Los Angeles International Airport. Also identified by the hacker pseudonym “GoldSun,” Yu has been charged under the Computer Fraud and Abuse Act and is further accused of conspiracy to commit offense or defraud the United States.
According to an August 21 indictment, filed in the US District Court for the Southern District of California, Yu collaborated with others, including two unnamed individuals who have not been charged, to acquire and use malware to facilitate cyberattacks against at least four unnamed US companies. The FBI has identified Yu’s co-conspirators as living in the People’s Republic of China. At this stage, the names of the companies (i.e., victims) are being suppressed, which is not unordinary.
The indictment is accompanied by an affidavit signed by an FBI agent assigned to a cybercrime squad at the bureau’s San Diego Field Office. A spokesperson for the bureau could not be immediately reached for a comment.
The FBI has accused Yu of discussing the installation of a remote access trojan, or RAT, at an unidentified company as early as in June 2011. A year later, one his conspirator allegedly installed malicious files on the network of a San Diego-based company. The same company was allegedly attacked again on or before December 3, 2013.
In January 2013, Yu’s co-conspirators allegedly used a variant of the malware Sakula in an attack on a second company based in Massachusetts. Multiple security firms have tied Sakulato the OPM attack—a massive data breach that involved the records of millions of US citizens who had undergone government security clearance checks. According to Washington Post sources, China’s involvement was suspected by US authorities, though the Obama administration never official ascribed blame.
Chinese authorities have repeatedly denied any involvement in the OPM attack. “The Chinese government takes resolute strong measures against any kind of hacking attack,” China’s Foreign Ministry told Reuters in 2015. “We oppose baseless insinuations against China.”
Sakula was also used in the 2015 Anthem data breach, which involved the potential theft of roughly 80 million individuals’ personal medical records. Independent investigators concluded with medium confidence earlier this year that the Anthem attack was likely carried out on behalf of a foreign government.
Neither Anthem nor OPM is cited in connection with Yu’s arrest and Anthem does not appear to be based in any of the cities mentioned in the indictment. Yu was allegedly linked to use of the then-rare Sakula malware through emails obtained by the FBI.
Yu’s co-conspirators are said to have breached a third company based in Los Angeles, however, in December 2012. The attackers allegedly took advantage of a then-unknown vulnerability—or “zero day”—in Microsoft’s Internet Explorer, which allowed for remote code execution and injection of Sakula.
Sakula is also a known tool of China-based advanced persistent threat nicknamed Deep Panda, or APT 19, which has been linked by security researchers to both the OPM and Anthem attacks.
The two unnamed and unindicted co-conspirators also allegedly attacked a fourth company based in Arizona. The FBI agent’s affidavit states that Yu provided one of the co-conspirators the malicious software as early as April 2011. The communications allegedly show that Yu also informed the second co-conspirator of an exploit for Adobe’s Flash software.
What’s more, FBI-seized communications show that in November 2011, Yu indicated that he had “compromised the legitimate Korean Microsoft domain used to download software updates for Microsoft products,” and further stated, allegedly, that the hacked site could be used to launch phishing attacks.
According to CNN, Yu was arrested after entering the US on Wednesday to attend a conference.
This story is developing and will be updated as more information becomes available.