FBI Alert Suggests OPM/Anthem Malware Link

The recently discovered data breach at the Office of Personnel Management (OPM) appears to have sparked an FBI alert (FBI memo: A-000061, issued June 5, 2015, according to CSO) over a particularly nasty strain of malware called Sakula.

Healthcare Organizations under Threat from Sakula Malware


The Sakula malware strain is a RAT, or Remote Access Trojan, which once installed on a host’s computer, will allow hackers to make changes to the system, download other files or do what they want. The malware is often unwittingly downloaded via infected websites and popups or installed via infected email attachments.

The FBI Memo warns that:

“Groups responsible for these activities have been observed across a variety of intrusions leveraging a diverse selection of tools and techniques to attempt to gain initial access to a victim including using credentials acquired during previous intrusions.”


Sakula Linked to Anthem and OPM Data Breaches


The timing of the FBI high confidence alert may be a coincidence, although given recent events this appears unlikely. The FBI memo details 312 hashes of the Sakula malware from a number of recent attacks; although the FBI did not confirm the source of the malware nor did the memo mention Anthem or the OPM.

Anthem has not disclosed the exact strain of malware responsible for its 78.8 million record data breach, and has only said it was malware related and was a highly sophisticated hacking campaign. The hackers gained access using a (spear) phishing campaign which allowed them to compromise user accounts.

Sakula was identified as a likely candidate for the cyberattack on Anthem by ThreatConnect via its Threat Intelligence Platform (TIP). The company’s software engineers determined the malware was using a stolen digital signature from DTOPTOOLZ Co., a Korean software company. The malware had been configured to send and receive data from two command and control (C2) domains and had been configured to communicate with extcitrix.we11point [.] com and www.we11point [.] com.”

According to Reuters, which has been contacted by (anonymous) sources, a number of domains were used by the persons behind the Sakula attacks, one of which was “www.OPM-Learning [.]org .“

Evidence of Sakula Link Mounts


The Deep Panda campaign and the start of the OPM breach occurred in the same month and Sakula was used on Deep Panda. It has been proposed that the malware was also used to gain access to OPM data. Reuters has spoken to a number of sources that believe that the OPM and Anthem data breaches are linked.

It is all supposition, as neither Anthem, the OPM nor the FBI have confirmed the exact details of the attacks, and no companies were named in the FBI memo.

Should the link between the two attacks prove to involve the same malware and emanate from China, the country’s intelligence services will have 78.8 million records from Anthem, and – currently estimated to be – 32 million government records, the latter include security clearance information on 30 million individuals and financial information of 2 million people.

As was pointed out by Steve Ragan of CSO, if China was behind the attack the information would not have been stolen for financial reasons, but for espionage. Worse still, while millions of records have been stolen, it is conceivable that some extra records were added to the database. With 34 million other records to hide amongst, and the fact the data came from multiple government departments, those new records could be almost impossible to spot.

Who is to Blame for the Cybersecurity Attacks


The finger of blame is being pointed across the Pacific, but it is underfunding of IT equipment, software and security defenses that is the real cause of the breach. The hackers were also able to access the data for a long period of time before detection. Government agencies fine HIPAA-covered entities for lacking the technical safeguards to protect data. It is important those departments also ensure their own data is secure.

Unfortunately even with additional funding, the scale of the security problem means it will take a long time for the government to address all security vulnerabilities, and in the meantime, data will be susceptible to further attacks.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.