|
 While the Chinese People's Liberation Army typically goes after
defense and trade secrets, this hacking group has repeatedly
accessed data that could be useful to Chinese counter-intelligence
and internal stability, said two people close to the U.S.
investigation.
Washington has not publicly accused Beijing of orchestrating the
data breach at the U.S. Office of Personnel Management (OPM), and
China has dismissed as "irresponsible and unscientific" any
suggestion that it was behind the attack.
Sources told Reuters that the hackers employed a rare tool to take
remote control of computers, dubbed Sakula, that was also used in
the data breach at U.S. health insurer Anthem Inc disclosed this
year.
The Anthem attack, in turn, has been tied to a group that security
researchers said is affiliated with China's Ministry of State
Security, which is focused on government stability,
counter-intelligence and dissidents. The ministry could not
immediately be reached for comment.
In addition, U.S. investigators believe the hackers registered the
deceptively named OPM-Learning.org website to try to capture
employee names and passwords, in the same way that Anthem, formerly
known as Wellpoint, was subverted with spurious websites such as
We11point.com, which used the number "1" instead of the letter "l".
Both the Anthem and OPM breaches used malicious software
electronically signed as safe with a certificate stolen from
DTOPTOOLZ Co, a Korean software company, the people close to the
inquiry said. DTOPTOOLZ said it had no involvement in the data
breaches.
The FBI did not respond to requests for comment. People familiar
with its investigation said Sakula had only been seen in use by a
small number of Chinese hacking teams.
"Chinese law prohibits hacking attacks and other such behaviors
which damage Internet security," China's Foreign Ministry said in a
statement. "The Chinese government takes resolute strong measures
against any kind of hacking attack. We oppose baseless insinuations
against China."
MANY UNKNOWNS
Most of the biggest U.S. cyber attacks blamed on China have been
attributed, with varying degrees of certitude, to elements of the
Chinese army. In the most dramatic case last year, the U.S. Justice
Department indicted five PLA officers for alleged economic
espionage.
Far less is known about the OPM hackers, and security researchers
have differing views about the size of the group and what other
attacks it is responsible for.
People close to the OPM investigation said the same group was behind
Anthem and other insurance breaches. But they are not yet sure which
part of the Chinese government is responsible.
"We are seeing a group that is only targeting personal information,"
said Laura Galante, manager of threat intelligence at FireEye Inc,
which has worked on a number of the high-profile network intrusions.
[to top of second column] |
CrowdStrike and other security companies, however, say the Anthem
hackers also engaged in stealing defense and industry trade secrets.
CrowdStrike calls the group "Deep Panda," EMC Corp's RSA security
division dubs it "Shell Crew," and other firms have picked different
names.
The OPM breach gave hackers access to U.S. government job
applicants' security clearance forms detailing past drug use, love
affairs, and foreign contacts that officials fear could be used for
blackmail or recruiting.
In contrast to hacking outfits associated with the Chinese army,
"Deep Panda" appears to be affiliated with the Ministry of State
Security, said CrowdStrike co-founder Dmitri Alperovitch.
Information about U.S. spies in China would logically be a top
priority for the ministry, Alperovitch said, adding that "Deep
Panda's" tools and techniques have also been used to monitor
democracy protesters in Hong Kong.
An executive at one of the first companies to connect the Anthem and
OPM compromises, ThreatConnect, said the disagreements about the
boundaries of "Deep Panda" could reflect a different structure than
that in top-down military units.
"We think it's likely a cohort of Chinese actors, a bunch of
mini-groups that are handled by one main benefactor," said Rich
Barger, co-founder of ThreatConnect, adding that the group could get
software tools and other resources from a common supplier.
"We think this series of activity over time is a little more
distributed, and that is why there is not a broad consensus as to
the beginning and end of this group."
(Story corrects timing of the Anthem breach in fourth paragraph,
corrects timing of U.S. indictments in 10th paragraph, and corrects
spelling of FireEye executive's name in 13th paragraph)
(Reporting by Joseph Menn in San Francisco; Additional reporting by
Jeremy Wagstaff in Singapore, and Ben Blanchard and Paul Carsten in
Beijing; Editing by Tiffany Wu)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
