A 36-year-old Chinese national was arrested in Los Angeles this week in connection with a computer hacking conspiracy involving malware linked to the 2014 US Office of Personnel Management (OPM) data breach.
Yu Pingan of Shanghai, China, was arrested on Wednesday while travelling at Los Angeles International Airport. Also identified by the hacker pseudonym "GoldSun", Yu has been charged under the Computer Fraud and Abuse Act and is further accused of conspiracy to commit offence or defraud the United States.
According to an August 21 indictment, filed in the US District Court for the Southern District of California, Yu collaborated with others, including two unnamed individuals who have not been charged, to acquire and use malware to facilitate cyberattacks against at least four unnamed US companies. The incitement was accompanied by an affidavit signed by an agent assigned to a cybercrime squad at the FBI San Diego Field Office.
The FBI has identified Yu's co-conspirators as living in the People's Republic of China. A spokesperson for the agency could not be immediately reached for a comment.
In a timeline laid out in the indictment, Yu is accused of discussing the installation of a remote access Trojan, or RAT, first at an unidentified company in June 2011. Roughly a year later, a conspirator allegedly installed malicious files on the network of a San Diego-based company. The same company was allegedly attacked again on or before 3 December 2013.
A second company, based in Massachusetts, was allegedly attacked using malware known as Sakula, which multiple security firms have tied to the OPM attack — a data breach that involved records of millions of US citizens who had undergone security clearance checks. China's involvement was suspected by US authorities, according to Washington Post sources at the time, though attribution was never officially described by the Obama administration.
Chinese authorities have denied any involvement in the OPM attack. "The Chinese government takes resolute strong measures against any kind of hacking attack," China's Foreign Ministry told Reuters in 2015. "We oppose baseless insinuations against China."
Sakula was also used in the 2015 Anthem data breach, which involved the potential theft of roughly 80 million individuals' personal medical records. Independent investigators concluded with medium confidence earlier this year that the Anthem attack was likely carried out on behalf of a foreign government. However, so far Anthem has not be cited in connection with Yu's arrest.
A third company based in Los Angeles is also said to have been breached by Yu's co-conspirators in December 2012. The attackers allegedly took advantage of a then-unknown vulnerability in Microsoft's Internet Explorer which allowed for remote code execution and injection of the Sakula malware. Yan was allegedly linked to the then-rare malware variant Sakula through emails obtained by federal agents.
Sakula is also a known tool of China-based advanced persistent threat nicknamed Deep Panda, or APT 19, which has been linked by security researchers to both the OPM and Anthem attacks.
A fourth company, based in Arizona, was also allegedly attacked by two unnamed and unindicted co-conspirators. Seized communications show that Yan provided one of the co-conspirators malicious software as early as April 2011, according to this week's indictment. The communications also allegedly show that Yan informed the second co-conspirator of an exploit for Adobe's Flash software.
Later in 2011, Yan allegedly indicated via FBI-seized communications that he had "compromised the legitimate Korean Microsoft domain used to download software updates for Microsoft products", and further indicated the hacked site could be used to launch phishing attacks.
According to CNN, Yan was arrested after entering the US on Wednesday to attend a conference.