U.S. officials suspect that a group of Chinese hackers are responsible for stealing information about U.S. government employees.
However, according to sources cited by Reuters, the group is different to China’s military hackers that have previously been accused of other data breaches. It is thought that the second group varies in its mission and organizational structure.
Hacking group not associated with PLA
The report cites two people close to the U.S. investigation, who claimed that hackers from China’s People’s Liberation Army have been known to pursue defense and trade secrets, whereas the other group targeted information which could benefit Chinese counter-intelligence and internal stability.
Although U.S. officials have stopped short of publicly accusing Beijing of attacking the U.S. Department of Homeland Security’s Office of Personnel Management (OPM), China is the primary suspect. For its part Beijing says that any accusations to that effect are “irresponsible and unscientific.”
Sources claim that the hackers took remote control of computers using a tool known as Sakula, which was previously employed in a 2014 data breach at Anthem Inc, a U.S. health insurer.
Security researchers have linked that attack to China’s Ministry of State Security, which works to maintain government stability, improve counter-intelligence and control dissidents.
Rare tools used by select China’s hacking groups
It is also thought that the hackers set up a fake website in order to try and record names and passwords. OPM-Learning.org was set up in attempt to gather information in the same way that hackers used We11point.com to access Anthem customer data. Anthem was previously known as Wellpoint.
Hackers stole security certificates from Korean software company DTOPTOOLZ Co in order to pass their malware off as harmless. The company claimed to have nothing to do with the breaches.
Sources close to the investigation claimed that Sakula had previously only been used by selected Chinese hacking teams, but Beijing denied any involvement.
“Chinese law prohibits hacking attacks and other such behaviors which damage Internet security,” China’s Foreign Ministry said in a statement. “The Chinese government takes resolute strong measures against any kind of hacking attack. We oppose baseless insinuations against China.”
Security experts divided over hacking group
Of the cyber attacks which experts say have originated in China, most have been blamed on the Chinese Army. In a high-profile case two years ago, 5 PLA officers were convicted for economic espionage by the U.S. Justice Department.
This latest group are far more mysterious, and security researchers are divided as to its size and capabilities. Those investigating the OPM breach believe that the same group was responsible for hacking Anthem and other insurance companies, but they are not sure which section of the Chinese government they work for.
“We are seeing a group that is only targeting personal information,” said Laura Gigante, manager of threat intelligence at FireEye Inc. However other security companies such as CrowdStrike believe that the Anthem hackers also targeted defense and trade information.
The companies have given different names to the hacking group, with CrowdStrike calling it “Deep Panda,” while EMC Corp’s RSA security division named it “Shell Crew.”
Among the information stolen during the OPM breach were security clearance forms which contain information on past drug use, love affairs and foreign contacts which authorities believe may be used for blackmail or recruiting.
Investigation still underway
CrowdStrike co-founder Dmitri Alperovitch believes that “Deep Panda” is working for the Ministry of State Security, and it could be looking for information about U.S. spies in China. The group has also been monitoring pro-democracy activists in Hong Kong.
One ThreatConnect executive believes that the differing opinions of security companies could show that the group has a different structure than more formal military hacking units.
“We think it’s likely a cohort of Chinese actors, a bunch of mini-groups that are handled by one main benefactor,” said Rich Barger, co-founder of ThreatConnect. He believes that the group may get software and other resources from the same supplier.
“We think this series of activity over time is a little more distributed, and that is why there is not a broad consensus as to the beginning and end of this group,” he added.
Security companies appear to be fairly certain that the OPM hack was carried out by hackers in China, working for an institution that is not the People’s Liberation Army. Beyond that uncertainties remain as to the aims and structure of the group, but it certainly provides further evidence of the sophistication of China’s cyber warfare capabilities.
Cyber security will form part of high-level talks between the U.S. and China which are due to take place in Washington D.C. next week. U.S. officials have reiterated their desire to maintain dialogue with China, but it is becoming increasingly apparent that when it comes to cyber warfare things are not always as Beijing claims they are.