Chinese National Arrested for Distributing Malware Used in OPM Hack

Man typing on a laptop computer. Science Photo Library / ABO
Science Photo Library/ABO/AFP

A 36-year-old Chinese national named Yu Pingan was arrested at the Los Angeles airport on Monday for distributing the type of malware that was used in the raid on the U.S. Office of Personnel Management in 2014 and 2015.

Engadget explains that Yu, who hails from Shanghai and uses the online alias “GoldSun,” flew to L.A. to attend a conference. He was arrested by the FBI for charges under the Computer Fraud and Abuse Act and conspiracy to defraud the United States.

The OPM connection is a piece of malware called Sakula, which Yu sells from his website. Sakula is believed to be the virus that was employed to penetrate the OPM system, giving hackers access to extensive personal data on 21.5 million current and former government employees and contractors.

The FBI charged Yu with participating in cyber attacks on four American companies, beginning in 2011. Some of these attacks involved strains of the Sakula computer virus.

“Sakula is also a known tool of China-based advanced persistent threat nicknamed Deep Panda, or APT 19, which has been linked by security researchers to both the OPM and Anthem attacks,” Gizmodo reports.

A variant of Sakula malware was also used in the data breach of the Anthem health insurance firm in 2015. Yu has not yet been formally charged in connection with that attack. In fact, the legal complaint against Yu does not specifically mention the Office of Personnel Management, either. Nearly every media account of his arrest mentions the OPM hack because Sakula is a fairly uncommon malware program, and hacking charges are not often leveled against Chinese nationals.

The New York Times notes that the last high-profile indictment of Chinese occurred when the Justice Department brought charges against five members of a People’s Liberation Army cyberwarfare unit in 2014. None of those individuals have ever been handed over by the Chinese government to stand trial.

Gizmodo also notes that Yu claims to have compromised the domain used to distribute software updates for Microsoft products in Korea in 2011, which might make him a person of interest in a number of other cases.

The FBI charging document makes it clear that Yu’s unnamed and unindicted co-conspirators in the corporate data raids were located in the PRC, the People’s Republic of China.


Please let us know if you're having issues with commenting.