25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

FBI Alert Suggests OPM/Anthem Malware Link

Posted By on Jul 5, 2015

The recently discovered data breach at the Office of Personnel Management (OPM) appears to have sparked an FBI alert (FBI memo: A-000061, issued June 5, 2015, according to CSO) over a particularly nasty strain of malware called Sakula.

Healthcare Organizations Under Threat from Sakula Malware

The Sakula malware strain is a RAT, or Remote Access Trojan, which once installed on a host’s computer, will allow hackers to make changes to the system, download other files or do what they want. The malware is often unwittingly downloaded via infected websites and popups or installed via infected email attachments.

The FBI Memo warns that:

“Groups responsible for these activities have been observed across a variety of intrusions leveraging a diverse selection of tools and techniques to attempt to gain initial access to a victim including using credentials acquired during previous intrusions.”

Sakula Linked to Anthem and OPM Data Breaches

The timing of the FBI high confidence alert may be a coincidence, although given recent events this appears unlikely. The FBI memo details 312 hashes of the Sakula malware from a number of recent attacks; although the FBI did not confirm the source of the malware nor did the memo mention Anthem or the OPM.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Anthem has not disclosed the exact strain of malware responsible for its 78.8 million record data breach, and has only said it was malware-related and was a highly sophisticated hacking campaign. The hackers gained access using a (spear) phishing campaign which allowed them to compromise user accounts.

Sakula was identified as a likely candidate for the cyberattack on Anthem by ThreatConnect via its Threat Intelligence Platform (TIP). The company’s software engineers determined the malware was using a stolen digital signature from DTOPTOOLZ Co., a Korean software company. The malware had been configured to send and receive data from two command and control (C2) domains and had been configured to communicate with extcitrix.we11point [.] com and www.we11point [.] com.”

According to Reuters, which has been contacted by (anonymous) sources, a number of domains were used by the persons behind the Sakula attacks, one of which was “www.OPM-Learning [.]org .“

Evidence of Sakula Link Mounts

The Deep Panda campaign and the start of the OPM breach occurred in the same month and Sakula was used on Deep Panda. It has been proposed that the malware was also used to gain access to OPM data. Reuters has spoken to a number of sources that believe that the OPM and Anthem data breaches are linked.

It is all supposition, as neither Anthem, the OPM nor the FBI have confirmed the exact details of the attacks, and no companies were named in the FBI memo.

Should the link between the two attacks prove to involve the same malware and emanate from China, the country’s intelligence services will have 78.8 million records from Anthem, and – currently estimated to be – 32 million government records, the latter including security clearance information on 30 million individuals and financial information of 2 million people.

As was pointed out by Steve Ragan of CSO, if China was behind the attack the information would not have been stolen for financial reasons, but for espionage. Worse still, while millions of records have been stolen, it is conceivable that some extra records were added to the database. With 34 million other records to hide amongst, and the fact the data came from multiple government departments, those new records could be almost impossible to spot.

Who is to Blame for the Cybersecurity Attacks

The finger of blame is being pointed across the Pacific, but it is underfunding of IT equipment, software and security defenses that is the real cause of the breach. The hackers were also able to access the data for a long period of time before detection. Government agencies fine HIPAA-covered entities for lacking the technical safeguards to protect data. It is important those departments also ensure their own data is secure.

Unfortunately, even with additional funding, the scale of the security problem means it will take a long time for the government to address all security vulnerabilities, and in the meantime, data will be susceptible to further attacks.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist