What Hit OPM? What We Know So Far
Security | Jul 9, 2015
It’s been almost a month since the OPM breach, and there’s been much speculation and leaks pointing to the details of the attack. Here is a recap of released information so far:
June 4, 2015 - OPM announces they’ve been breached.
June 8, 2015
- Guidance Software announces that EnCase® was used in OPM’s investigation. I am quoted
by SC Magazine, hinting that the PlugX Remote Access Trojan (RAT) was utilized by OPM’s attackers.
June 15, 2015
- ThreatConnect notices malware submitted to VirusTotal used fake OPM domain names, and was submitted around the time of a prior 2014 OPM breach. ThreatConnect theorizes
that “Destroy RAT aka Sogu,” also named PlugX in some threat intelligence databases, was used in this latest OPM attack.
June 18, 2015
- Ellen Nakashima comments in a Washington Post blog
that the “malware OPM discovered was a never-before-seen variant of the malware known as PlugX.”
June 27, 2015
– USA Today reports
that the breach started with a stolen credential used by KeyPoint Government Solutions, a Colorado-based contractor that OPM uses to conduct background investigations.
June 29, 2015
– FCW notices
that the day after the OPM disclosure, an FBI flash alert
detailed an unnamed agency breach, and that threat actors have been observed using four RATs: Sakula, FF RAT, Trojan.IsSpace and Trojan.BLT. FCW speculates that the FBI is referring to OPM. Note that Sakula is also mentioned in the June 15th ThreatConnect report
. Similar to the PlugX variants highlighted by ThreatConnect, Sakula was custom built to use fake OPM domain names.
July 8, 2015
– U.S. Homeland Security Chief makes a vague claim
to have narrowed down OPMs attackers. Note this information is exclusively released on Voice of America, the little known US state run
As a matter of national security, it is conceivable we may never learn the details of the malware used against OPM. In any case, all the breadcrumbs point to two RATs: PlugX and Sakula, both seemingly built by Chinese authors specifically to target OPM.
Comments? I welcome discussion in the section below.