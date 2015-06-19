(Corrects timing of the Anthem breach in fourth paragraph,
By Joseph Menn
SAN FRANCISCO, June 19 The Chinese hacking group
suspected of stealing sensitive information about millions of
current and former U.S. government employees has a different
mission and organizational structure than the military hackers
who have been accused of other U.S. data breaches, according to
people familiar with the matter.
While the Chinese People's Liberation Army typically goes
after defense and trade secrets, this hacking group has
repeatedly accessed data that could be useful to Chinese
counter-intelligence and internal stability, said two people
close to the U.S. investigation.
Washington has not publicly accused Beijing of orchestrating
the data breach at the U.S. Office of Personnel Management
(OPM), and China has dismissed as "irresponsible and
unscientific" any suggestion that it was behind the attack.
Sources told Reuters that the hackers employed a rare tool
to take remote control of computers, dubbed Sakula, that was
also used in the data breach at U.S. health insurer Anthem Inc
disclosed this year.
The Anthem attack, in turn, has been tied to a group that
security researchers said is affiliated with China's Ministry of
State Security, which is focused on government stability,
counter-intelligence and dissidents. The ministry could not
immediately be reached for comment.
In addition, U.S. investigators believe the hackers
registered the deceptively named OPM-Learning.org website to try
to capture employee names and passwords, in the same way that
Anthem, formerly known as Wellpoint, was subverted with spurious
websites such as We11point.com, which used the number "1"
instead of the letter "l".
Both the Anthem and OPM breaches used malicious software
electronically signed as safe with a certificate stolen from
DTOPTOOLZ Co, a Korean software company, the people close to the
inquiry said. DTOPTOOLZ said it had no involvement in the data
breaches.
The FBI did not respond to requests for comment. People
familiar with its investigation said Sakula had only been seen
in use by a small number of Chinese hacking teams.
"Chinese law prohibits hacking attacks and other such
behaviors which damage Internet security," China's Foreign
Ministry said in a statement. "The Chinese government takes
resolute strong measures against any kind of hacking attack. We
oppose baseless insinuations against China."
MANY UNKNOWNS
Most of the biggest U.S. cyber attacks blamed on China have
been attributed, with varying degrees of certitude, to elements
of the Chinese army. In the most dramatic case last year, the
U.S. Justice Department indicted five PLA officers for alleged
economic espionage.
Far less is known about the OPM hackers, and security
researchers have differing views about the size of the group and
what other attacks it is responsible for.
People close to the OPM investigation said the same group
was behind Anthem and other insurance breaches. But they are not
yet sure which part of the Chinese government is responsible.
"We are seeing a group that is only targeting personal
information," said Laura Galante, manager of threat intelligence
at FireEye Inc, which has worked on a number of the
high-profile network intrusions.
CrowdStrike and other security companies, however, say the
Anthem hackers also engaged in stealing defense and industry
trade secrets. CrowdStrike calls the group "Deep Panda," EMC
Corp's RSA security division dubs it "Shell Crew," and
other firms have picked different names.
The OPM breach gave hackers access to U.S. government job
applicants' security clearance forms detailing past drug use,
love affairs, and foreign contacts that officials fear could be
used for blackmail or recruiting.
In contrast to hacking outfits associated with the Chinese
army, "Deep Panda" appears to be affiliated with the Ministry of
State Security, said CrowdStrike co-founder Dmitri Alperovitch.
Information about U.S. spies in China would logically be a
top priority for the ministry, Alperovitch said, adding that
"Deep Panda's" tools and techniques have also been used to
monitor democracy protesters in Hong Kong.
An executive at one of the first companies to connect the
Anthem and OPM compromises, ThreatConnect, said the
disagreements about the boundaries of "Deep Panda" could reflect
a different structure than that in top-down military units.
"We think it's likely a cohort of Chinese actors, a bunch of
mini-groups that are handled by one main benefactor," said Rich
Barger, co-founder of ThreatConnect, adding that the group could
get software tools and other resources from a common supplier.
"We think this series of activity over time is a little more
distributed, and that is why there is not a broad consensus as
to the beginning and end of this group."
(Reporting by Joseph Menn in San Francisco; Additional
reporting by Jeremy Wagstaff in Singapore, and Ben Blanchard and
Paul Carsten in Beijing; Editing by Tiffany Wu)