It’s been almost a month since the OPM breach, and there’s been much speculation and leaks pointing to the details of the attack. Here is a recap of released information so far:
June 4, 2015
- OPM announces they’ve been breached.
June 8, 2015
- Guidance Software announces that EnCase® was used in OPM’s investigation. I am quoted
by SC Magazine, hinting that the PlugX Remote
Access Trojan (RAT) was utilized by
OPM’s attackers.
June 15, 2015 - ThreatConnect notices malware submitted to VirusTotal used fake OPM
domain names, and was submitted around the time of a prior 2014 OPM breach.
ThreatConnect theorizes that “Destroy RAT aka Sogu,” also
named PlugX in some threat intelligence databases, was used in this latest OPM
attack.
June 18, 2015 - Ellen Nakashima comments in a Washington Post blog that the “malware OPM discovered was
a never-before-seen variant of the malware known as PlugX.”
June 27,
2015 – USA Today reports
that the breach started with a stolen credential used by KeyPoint
Government Solutions, a Colorado-based contractor that OPM uses to conduct
background investigations.
June 29, 2015 – FCW notices
that the day after the OPM disclosure, an FBI flash alert
detailed an unnamed agency breach, and that threat actors have been observed
using four RATs: Sakula, FF RAT, Trojan.IsSpace and Trojan.BLT. FCW speculates that the FBI is referring
to OPM. Note that Sakula is
also mentioned in the June 15th ThreatConnect
report. Similar to the PlugX variants highlighted by ThreatConnect, Sakula was custom built to use fake OPM domain names.
July 8, 2015 – U.S.
Homeland Security Chief makes a vague claim
to have narrowed down OPMs attackers. Note this information is exclusively
released on Voice of America, the little known US state run media
outlet.
As a matter of national
security, it is conceivable we may never learn the details of the malware used
against OPM. In any case, all the breadcrumbs point to two RATs: PlugX and
Sakula, both seemingly built by Chinese authors specifically to target OPM.
Comments? I welcome discussion in the section below.
Comments? I welcome discussion in the section below.
No comments :
Post a Comment