OPM hackers infiltrated in summer 2014 using Sakula malware.

OPM Hackers Used Rare, Recognizable Malware to Infiltrate

OPM Hackers Used Rare, Recognizable Malware to Infiltrate

Future Tense
The Citizen's Guide to the Future
June 19 2015 6:38 PM

OPM Hackers Used Rare, Recognizable Malware to Infiltrate

475978346-the-theodore-roosevelt-federal-building-that-houses-the
The Office of Personnel Management headquarters on June 5, 2015, in Washington, D.C.

Photo by Mark Wilson/Getty Images

The Office of Personnel Management hack affects most past and present federal employees, and the search to find out what happened is turning up increasingly unfortunate details.

As ABC News reported last week and the Washington Post confirms, the breach actually occurred a year ago in June or July 2014, giving the hackers ample time to probe the network and collect data.

Advertisement

Stewart Baker, a former National Security Agency general counsel, told the Post, “If you’ve got a year to map the network, to look at the file structures, to consult with experts and then go in and pack up stuff, you’re not going to miss the most valuable files.”

And though the government is still not making public statements about a suspect, official sources are consistently providing anonymous reports that the Chinese government is thought to be behind the hack. Reuters reports, though, that the OPM hack doesn't seem to have been carried out by the arm of the Chinese government hacking operation that conducts its cyberattacks for trade secrets or defense details. This department is organized differently and seems to be looking for counter-intelligence ammunition.

Reuters' sources confirm rumors that the group is the same on that hacked health insurance company Anthem. They say that the hackers used a rare type of malware called Sakula, which was also used in the Anthem breach. There are other similarities, too. The hackers seem to have registered "OPM-Learning.org" as a decoy site for tricking OPM employees into entering their credentials. The Anthem hackers used a similar tactic, registering "We11point.com" because Anthem used to be called Wellpoint. Finally, both hacks employed software which was vouched for by a stolen certificate from Korean software company DTOPTOOLZ Co.

It's a lot to investigate, but with millions of people's identities compromised by the breach, it's crucial to get more answers about what happened. And members of Congress probably aren’t joking around when they demand answers—because it seems that their data may have been compromised by the hack, too.

Future Tense is a partnership of SlateNew America, and Arizona State University.