What Hit OPM? What We Know So Far

Paul Shomo

It’s been almost a month since the OPM breach, and there’s been much speculation and leaks pointing to the details of the attack. Here is a recap of released information so far:

June 4, 2015 - OPM announces they’ve been breached.

June 8, 2015 - Guidance Software announces that EnCase® was used in OPM’s investigation. I am quoted by SC Magazine, hinting that the PlugX Remote Access Trojan (RAT) was utilized by OPM’s attackers. 

June 15, 2015 - ThreatConnect notices malware submitted to VirusTotal used fake OPM domain names, and was submitted around the time of a prior 2014 OPM breach. ThreatConnect theorizes that “Destroy RAT aka Sogu,” also named PlugX in some threat intelligence databases, was used in this latest OPM attack.

June 18, 2015 - Ellen Nakashima comments in a Washington Post blog that the “malware OPM discovered was a never-before-seen variant of the malware known as PlugX.”

June 27, 2015 – USA Today reports that the breach started with a stolen credential used by KeyPoint Government Solutions, a Colorado-based contractor that OPM uses to conduct background investigations.

June 29, 2015 – FCW notices that the day after the OPM disclosure, an FBI flash alert detailed an unnamed agency breach, and that threat actors have been observed using four RATs: Sakula, FF RAT, Trojan.IsSpace and Trojan.BLT. FCW speculates that the FBI is referring to OPM. Note that Sakula is also mentioned in the June 15th ThreatConnect report. Similar to the PlugX variants highlighted by ThreatConnect, Sakula was custom built to use fake OPM domain names.

July 8, 2015 – U.S. Homeland Security Chief makes a vague claim to have narrowed down OPMs attackers. Note this information is exclusively released on Voice of America, the little known US state run media outlet.

As a matter of national security, it is conceivable we may never learn the details of the malware used against OPM. In any case, all the breadcrumbs point to two RATs: PlugX and Sakula, both seemingly built by Chinese authors specifically to target OPM. 

Comments? I welcome discussion in the section below.

No comments :

Post a Comment