Technical forensics of OPM hack reveal PLA links to cyber attacks targeting Americans

By Bill Gertz 
New details emerged this week linking Chinese military intelligence to the clandestine collection of personal data on millions of Americans. 
Forensic analysis of the malware and tactics used in the theft of personal records of 4 million government workers revealed that one or two groups of Chinese hackers were involved in the cyber attack, including the Chinese government-led group called Deep Panda. 
Deep Panda hackers are believed to be part of a clandestine People’s Liberation Army hacking unit that was linked to the major hacking operation against U.S. health care provider Anthem. The Blue Cross/Blue Shield insurer suffered a compromise of records on some 80 million customers. That attack was discovered in April 2014. 
In addition to hacking the Office of Personnel Management (OPM), that was discovered in April, China also conducted cyber attacks against a U.S. telecommunications company and an aviation industry firm recently, according to security sources. 
Investigations of those cyber attacks are ongoing. The second Chinese hacking group was not identified by the sources who spoke to Flash//CRITIC. 
Links to the OPM attack from Deep Panda were discovered through the hackers’ use of software called Sakula, which the group has used in the past, including during the Anthem strike. 
Sakula is a Remote Access Tool, or RAT, that employs the use of stolen, signed security certificates, a technique requiring a level of sophistication not observed outside nation-state cyber forces. 
The domain names used by the hackers in the OPM attack included and 
Another method used by the Chinese in the OPM data breach was Mimikatz, software that allows remote users to learn network administrator log-in credentials through a relatively simple process. 
“Mimikatz is a classic [tactics, techniques and procedures] of Deep Panda,” said a security analyst familiar with details of the attack. “This allows the actors to dump password hashes, perform pass the hash and ‘golden ticket’ attacks in the victim environment.” 
The OPM hack involved the compromise of administrator-level access that allowed the hackers to download information, and potentially to alter or corrupt data within the system. 
The security firm CrowdStrike, which gave Deep Panda its name after the company’s researchers discovered the hacking, has called the group among the most sophisticated state-sponsored cyber intrusion entities.
China’s main military intelligence services that have been linked to cyber attacks include the Third Department of the General Staff, or 3PLA, that conducts cyber warfare; and the Second Department, or 2PLA, that is the main military spy agency. 
The OPM said in a statement it will begin notifying federal employees June 8 that their personal data was compromised. The office also urged workers to monitor credit cards to prevent identity theft. 
The OPM hack is the latest Chinese operation highlighting what analysts say is a relentless cyber warfare campaign against the United States that has been underway for at least a decade. 
Critics say that campaign has met with little or no resistance from the Obama administration.
U.S. Cyber Command leader Adm. Mike Rogers said recently that the administration’s approach to the threat posed by cyber attacks that emphasizes passive defenses and legal remedies was not working. 
Rogers has advocated a more proactive policy designed to deter adversaries like China by conducting offensive cyber attacks that demonstrate U.S. cyber warfare capabilities. 
The United States needs “to think about how can we increase our capacity on the offensive side here, to get to that point of deterrence,” Rogers told the Senate Armed Services Committee in March. 
The White House, however, is opposing more muscular cyber responses amid fears the aggressive posture will lead to escalating counter attacks, including major infrastructure cyber attacks. 
The OPM hack was discovered using a relatively new software intrusion detection system known as EINSTEIN, developed by the US Computer Emergency Readiness Team, part of the Department of Homeland Security. 
OPM networks used EINSTEIN 2 that is capable of monitoring unusual remote activity. 

— June 7, 2015