The OPM Hack: I Smell a RAT

Paul Shomo

In the wake of the OPM hack, where reports suggest that millions of security clearance records headed directly to Chinese intelligence units, let’s talk about remote administrator tools (RATs). These tools are commonly used in this type of attack, so we'll walk through a common methodology for identifying unknown RATs.

In the broadest sense, RATs are used to remotely access and control computers. System administrators often use these tools for good, but black hats develop specialized RATs that infect, hide, and act as back doors.

Malicious RATs like PlugX, Gh0st, Korplug, Gulpix, Sogu, Thoper, and Destory can be built as zero day attacks that avoid signature detection. The Gh0st RAT user interface (UI), shown below, gives some insight into how easily hackers can build zero day variants to infect sensitive machines. Once infected, command-and-control can be established from anywhere on the internet, with traffic re-routed through servers to avoid identification of the true perpetrator.

The OPM Breach: What Went Right

Michael Harris

Today the national and federal press announced a “massive” breach of federal personnel data housed at the Office of Personnel Management (OPM) within the Department of Homeland Security (DHS). Following an earlier breach discovered in March 2014, the breach is said to have exposed the personally identifiable information (PII) of up to four million federal employees. The Washington Post reported that U.S. officials suspect the Chinese government to be behind the attack, which represents “the second significant foreign breach into U.S. government networks in recent months.”

CEIC 2015 Highlights: Thwarting Malware, FRCP Rules Changes, Corporate Cyberbullying, Collaborating for the Win


CEIC® 2015 began with a one-day CISO/CLO Summit that gathered security and legal chiefs to collaborate on emerging best practices in defending the enterprise, as well as an energetic CEIC welcome keynote from our president and CEO Patrick Dennis and Roger Angarita, our head of product development. Patrick talked about how the legal, security, and forensic investigation communities are blending together, both to collaborate and even to expand their own professional areas of responsibility. Our data is converging—and so are our professions—which is good news, since as we collaborate, we are turning the tide in the defense of our organizations, our citizens, and our economies.

Security and IR Labs at CEIC Focus on Advanced Malware and Attack Analysis

CEIC 2015 is just a few weeks away and we’re excited to meet with you face-to-face on the show floor and in the conference sessions earmarked for cybersecurity and incident response professionals. If your cybersecurity journey seems to grow more complicated with each passing CEIC event, this is the year you won’t want to miss.

Incident response as a discipline is still largely misunderstood and under-implemented, mainly because enterprises struggle to understand the changing security landscape and the need to be prepared for the inevitable cyber attack. To help you better understand these changes, we've developed new sessions and labs for CEIC 2015 to help you take incident response to the next level.

Why Financial, Retail, and Healthcare Professionals Should Reserve a Seat at a CEIC 2015 Roundtable


By now, you may have heard about our new CEIC industry roundtable sessions for professionals in retail, finance, and healthcare. These focused, media-free sessions provide a forum for security and e-discovery specialists to discuss current trends and challenges that affect their work on a daily basis. First you've heard of our roundtables? Take a look at our previous post.

So why should you spend valuable CEIC time on a roundtable? Here are the three most compelling reasons.