Category Archives: Cyber War

POTUS Approves U.S. Troops Sharing Base with Iran

Posted on by

Cant make this up…Iran has been an enemy of the United States for decades and now our uniformed personnel in Iraq are forced to share an air base, Taqqadum, in Anbar. This is not sitting well with one senator and frankly, we should be screaming about it. What is worse, is the Joint Chiefs are apparently cool with it unless there are chairs and tables being thrown about in the halls of the Pentagon?

Monday, June 22, 2015
Washington, D.C.— Senator Tom Cotton (R-Arkansas) today released the following statement in response to reports that the United States is sharing a military base with Iranian forces in Iraq:
“When I was a soldier fighting in Iraq, Iran supplied the most advanced, most lethal roadside bombs used against coalition forces. Many American soldiers lost their lives to Iran’s proxies and Iranian-supplied bombs.  Further, Iran is the leading state sponsor of terrorism and has been attacking the United States for decades. It’s deeply troubling that the President now finds it acceptable to share a military base with this enemy, even while we are attempting to negotiate a deal to keep Iran from obtaining nuclear weapons.
“This report is a stark and nearly absurd demonstration of the Obama administration’s tacit accommodation of Iran’s strategic aim of extending its influence in Iraq.  It echoes the president’s tacit accommodation of Iran’s wish to maintain Bashar al-Assad in Syria and his explicit accommodation of Iran’s nuclear ambitions.”
For background in MILCOM in Iraq and this base, see page 33.

Iran’s Forces and U.S. Share a Base in Iraq

By &

The U.S. military and Iranian-backed Shiite militias are getting closer and closer in Iraq, even sharing a base, while Iran uses those militias to expand its influence in Iraq and fight alongside the Bashar al-Assad regime in neighboring Syria.

Two senior administration officials confirmed to us that U.S. soldiers and Shiite militia groups are both using the Taqqadum military base in Anbar, the same Iraqi base where President Obama is sending an additional 450 U.S. military personnel to help train the local forces fighting against the Islamic State. Some of the Iran-backed Shiite militias at the base have killed American soldiers in the past.

Some inside the Obama administration fear that sharing the base puts U.S. soldiers at risk. The U.S. intelligence community has reported back to Washington that representatives of some of the more extreme militias have been spying on U.S. operations at Taqqadum, one senior administration official told us. That could be calamitous if the fragile relationship between the U.S. military and the Shiite militias comes apart and Iran-backed forces decide to again target U.S. troops.

American critics of this growing cooperation between the U.S. military and the Iranian-backed militias call it a betrayal of the U.S. personnel who fought against the militias during the 10-year U.S. occupation of Iraq.

“It’s an insult to the families of the American soldiers that were wounded and killed in battles in which the Shia militias were the enemy,” Senate Armed Services Chairman John McCain told us. “Now, providing arms to them and supporting them, it’s very hard for those families to understand.”

The U.S. is not directly training Shiite units of what are known as the Popular Mobilization Forces, which include tens of thousands of Iraqis who have volunteered to fight against the Islamic Stateas well as thousands of hardened militants who ultimately answer to militia leaders loyal to Tehran. But the U.S. is flying close air support missions for those forces.

The U.S. gives weapons directly only to the Iraqi government and the Iraqi Security Forces, but the lines between them and the militias are blurry. U.S. weapons often fall into the hands of militias like Iraqi Hezbollah. Sometimes the military cooperation is even more explicit. Commanders of some of the hardline militias sit in on U.S. military briefings on operations that were meant for the government-controlled Iraqi Security Forces, a senior administration official said.

This collaboration with terrorist groups that have killed Americans was seen as unavoidable as the U.S. marshaled Iraqis against the Islamic State, but could prove counterproductive to U.S. interests in the long term, this official said.

The militias comprise largely Shiite volunteers and are headed by the leader of the Iraqi Hezbollah, Abu Mahdi al-Muhandis. Hewas sanctioned in 2009 by the Treasury Department for destabilizing Iraq. Al-Muhandis is a close associate of Qassem Suleimani, the Iranian Quds Force commander, who has snapped selfies with the militia leader at key battles.

Other militias that have participated in the fighting against the Islamic State include the League of the Righteous, which in 2007 carried out a brutal roadside execution of five U.S. soldiers near Karbala. The group to this day boasts of its killing of U.S. soldiers. In an interview in February, a spokesman for the militia defended the killings and said his militia had killed many more American soldiers.

Members of these groups have also been deployed by Iran to defend the Assad regime in neighboring Syria. James Clapper, the director of National Intelligence, confirmed in a June 3 letter to seven Republican senators, which we obtained, that “Iran and Hezbollah have also leveraged allied Iraqi Shiia militant and terrorist groups — which receive training in Iran — to participate in pro-Assad operations.”

The Washington Institute in 2013 identified three militias — the League of the Righteous, Iraqi Hezbollah and Kataib Sayyid al-Shuhada — as sending elite fighters to Syria to fight for Assad.  All three help to lead the popular mobilization committees that fight the Islamic State in Iraq.

These militias also stand accused of gross human rights abuses and battlefield atrocities in Sunni areas where they have fought. The State Department heavily criticized Iran’s support for the Iraqi militias and those militias’ behavior in its annual report on worldwide terrorism, released late last week.

“Despite its pledge to support Iraq’s stabilization, Iran increased training and funding to Iraqi Shia militia groups in response to ISIL’s advance into Iraq. Many of these groups, such as Iraqi Hezbollah, have exacerbated sectarian tensions in Iraq and have committed serious human rights abuses against primarily Sunni civilians,” the State Department reported. “Similar to Hezbollahfighters, many of these trained Shia militants have used these skills to fight for the Assad regime in Syria or against ISIL in Iraq.”

Accounts of the number of Iraqi Shiite fighters at Taqqadum vary. One senior administration official told us there are “only a few” militia representatives at the base, to coordinate with Iraqi Security Forces, while the bulk of the popular mobilization forces are deployed in the field, mostly around Ramadi, which is held by theIslamic State. A different senior administration official told us that there were hundreds of Shiite militia fighters at the base recently and that they flow in and out of the base for operations in the area.

The U.S. government has sought and received formal assurances from the government of Iraq that the Shiite militias on the base would not interfere with American military personnel. Butthere’s widespread skepticism that the politicians in Baghdad exertany real control over the hard-line militias. So far, in the 11 months since U.S. special operations forces have been in Iraq, Iranian supported militias in Iraq and U.S. personnel have not clashed while fighting a common enemy.

“There’s no real command and control from the central government,” one senior administration official said. “Even if these guys don’t attack us … Iran is ushering in a new Hezbollah era in Iraq, and we will have aided and abetted it.”

With the deadline approaching for a nuclear deal that would place up to $150 billion in the hands of Iran, the U.S. is now openly acknowledging in its annual report on international terrorism that Iran is supporting a foreign legion, comprising Afghans, Iraqis and Lebanese fighters, to defend Iranian interests throughout the Middle East.

But the U.S. response to this is inconsistent. In Iraq, America is fighting alongside Iranian-backed militias. In Syria, U.S.-supported forces are fighting against these same militias. The tragedy of this policy is that the Islamic State has been able to hold and expand its territory in Iraq and Syria, while Iran has been able to tighten its grip on Baghdad.

 

NATO Arms up and Putin Pledges Cooperation

Posted on by
  • U.S. paratroopers assault opposing forces during Black Arrow on Rukla training area in Lithuania, May 17, 2014. The exercise focuses on defensive operations and interoperability between the two forces. Lithuanian Defense Ministry photo by Eugenijus ZygaitisDefense Secretary Ash Carter will travel to Germany, Estonia, and Belgium June 21 – 26 for a series of bilateral and multilateral meetings with European defense ministers and to participate in his first NATO Ministerial as secretary of defense.
  • In this important month for the alliance, Carter will hear directly from ministers, defense leaders, and service members about the progress we have made since the Wales Summit to address the new security environment, including the challenges from Russia and NATO’s southern front, and discuss what we must do in the future to enhance the effectiveness of the alliance.

NATO's Response Force and U.K., Swedish, Finnish and U.S. Marines conduct an amphibious assault during exercise Baltic Operations 2015, June 10, 2015. U.S. Marine Corps photo by Sgt. Tatum Vayavananda

For an interactive map of Operation Atlantic Resolve, click here.

 

LUXEMBOURG: The European Union on Monday extended economic sanctions against Russia until January to keep pressure on Moscow over the conflict in eastern Ukraine, drawing a rebuke and a warning of retaliation from Russian officials.

An EU statement said the decision was taken without debate by the bloc’s foreign ministers at a meeting in Luxembourg, in response to “Russia’s destabilizing role in eastern Ukraine.”

The sanctions, along with U.S. and other Western measures against Russia, have contributed to a softening of the Russian economy at a time when the price of oil that is crucial to its economic output also has fallen. The sanctions have also put a pinch on some of Russia’s key EU trading partners.

Then Putin decides to moderate and cooperate?

From IB Times: Russian President Vladimir Putin has stated that Moscow is not averse to economic co-operation with the West despite the sanctions imposed on it over the Ukraine crisis. Mr Putin was addressing the Economic forum in St Petersburg and said Russia’s economy has adapted itself to face the pressures of sanctions. Significantly, Mr Putin avoided the usual anti-Western rhetoric, observers noted.

“The imposition of so-called sanctions has forced us to significantly step up efforts to replace imports with domestic products. We have made serious steps and achieved noticeable results in a number of areas”, said Mr Putin and claimed that economy has “stabilised” and its financial and banking systems are now attuned to the new conditions. He also stressed Russia’s desire to remain a key player in the world economy and desire to work with the west as well as other countries. Noting that Russia is open to the world, Mr Putin said active co-operation with new centres of global growth, implying China, it no way means that “we intend to pay less attention to our dialogue with our traditional Western partners.”

Secretary of Defense Carter, DoD and NATO step up offensive objectives.

WASHINGTON, June 22, 2015 – The challenges to NATO from Russia and on the alliance’s southern flank will be the focus of Defense Secretary Ash Carter’s trip to the continent this week.

Click photo for screen-resolution image
U.S. Defense Secretary Ash Carter talks with news reporters aboard an aircraft June 21, 2015, en route to Berlin. Carter plans to meet with European defense ministers and participate in his first NATO ministerial as defense secretary during the trip to Germany, Estonia and Belgium. DoD photo by U.S. Air Force Master Sgt. Adrian Cadiz  
(Click photo for screen-resolution image);high-resolution image available.

Carter arrived in Berlin yesterday for talks with the German defense minister. From Germany, he will travel to Estonia and then end his trip at the NATO defense ministerial in Brussels.

Yesterday, the secretary spoke to reporters traveling with him.

NATO is Changing

The secretary said NATO must, and is, changing to confront the new threats. Russian President Vladimir Putin’s aggressive behavior in Georgia and Ukraine must be countered, and further aggression must be deterred, he said.

The secretary said he’ll explain America’s “strong but balanced approach” to dealing with Russia.

“It’s strong, in the sense that we are cognizant of the needs to deter and be prepared to respond to Russian aggression, if it occurs, around the world, but also especially in NATO and with NATO,” Carter told reporters.

U.S. soldiers in Stryker armored vehicles arrive at Smardan Training Area, Romania, March 24, 2015. The soldiers, assigned to 2nd Squadron, 2nd Cavalry Regiment, participated in Saber Junction 15, which included 5,000 troops from 17 nations that are NATO allies and partners. U.S. Army photo by Staff Sgt. Opal Vaughn

NATO is countering Russian behavior with the Spearhead Force designed to move quickly and powerfully to the scene of an incident, the secretary said.

“Another part of that is helping the states, both NATO members and non-NATO members, at the periphery of Russia … to harden themselves to malign influence or destabilization of the kind that Russia has fomented in eastern Ukraine,” he said.

Adapting to Challenges

The balance comes from needing to work with Russia on other issues, Carter said. Russia is a part of the P5-plus-1 talks with Iran. Russia also has a role in countering terrorism.

In short, Russia’s interests do in some areas align with those of the rest of the world, the secretary said.

“The United States, at least, continues to hold out the prospect that Russia — maybe not under Vladimir Putin, but maybe some time in the future — will return to a forward-moving course rather than a backward-looking course,” Carter said.

Southern Europe is threatened by extremism, the secretary said, noting that NATO defense ministers will discuss this threat. The dangers of extremism in the Middle East, he said, is manifested by increasing streams of refugees seeking to escape ungoverned or poorly governed areas of North Africa, sub-Saharan Africa and the Middle East.

“In both of those areas NATO needs to, and is, adapting,” Carter said. “These are challenges that are different in kind from the old Fulda Gap, Cold War challenge. They are different in their own ways from Afghanistan and the kinds of things that we’ve been doing there. So it’s new, but NATO … is adapting for both of them.”

Demanded bin Ladin’s Death Certificate, Denied

Posted on by

 

As written about in detail here, a hacking group calling itself the Yemen Cyber Army performed a cyber intrusion into the Saudi ministry of Foreign Affairs. A particular set of communications points to the request for Usama bin Ladin’s death certificate, and the United States denied the request. Other Freedom of Information requests were also made and the response was, there is no record.

Osama bin Laden’s son asked the U.S. government for his father’s death certificate. The U.S. said no.

by: Adam Taylor, Washington Post

According to a recently leaked document, the son of al-Qaeda mastermind Osama bin Laden, Abdullah bin Laden, sent a letter to the U.S. Embassy in Saudi Arabia to ask for his father’s death certificate.

In response, the embassy wrote to Abdullah to inform him that there was no death certificate issued for the older bin Laden.

The letter went on to suggest other ways that the al-Qaeda leader’s death could be officially confirmed.

The remarkable exchange has come to light thanks to the latest release from WikiLeaks, the controversial secret sharing organization helmed by Julian Assange. On Friday, the organization released what it said was the first part of more than a half-million cables and other documents from the Saudi Foreign Ministry, which it had dubbed “The Saudi Cables.”

The U.S. Embassy’s response to Abdallah was included within the release. It is dated Sept. 9, 2011, approximately four months after bin Laden was killed by U.S. forces during a raid on his hideout in Pakistan. U.S. officials have said that bin Laden was later buried at sea. Requests to publish photographs of bin Laden’s body or his burial have been denied and any photographs taken are suspected to have been destroyed.

In the letter to Abdullah bin Laden, Glen Keiser, a consul general at the U.S. Embassy in Riyadh, explains that the lack of a death certificate for bin Laden is “consistent with regular practice for individuals killed in the course of military operations.”

Keiser goes on to suggest that the criminal case against Osama bin Laden had effectively been dropped due to his death since June 2011, and describes a process for requesting the order of “nolle prosequi” (which literally means “unwilling to pursue”) from the court, which could act as proof of death.

It’s unclear why Abdullah bin Laden had requested the death certificate.

In 2012, the Department of Defense responded to an Associated Press Freedom of Information Act request and said that it was unable to find a death certificate for bin Laden.

Newly declassified documents from the compound in Pakistan where Osama bin Laden was killed in 2011 have revealed the late al-Qaeda leader’s remarkable English-language library, including books by Noam Chomsky, Bob Woodward and even 9/11 conspiracy theorist David Ray Griffin.

Yet the Office of the Director of National Intelligence, which released the files on Wednesday, has not released all the material found in the compound. In fact, there’s a rather notorious stash that the U.S. government apparently doesn’t want you to see: a cache of pornography.

Newly declassified documents from the compound in Pakistan where Osama bin Laden was killed in 2011 have revealed the late al-Qaeda leader’s remarkable English-language library, including books by Noam Chomsky, Bob Woodward and even 9/11 conspiracy theorist David Ray Griffin.

Yet the Office of the Director of National Intelligence, which released the files on Wednesday, has not released all the material found in the compound. In fact, there’s a rather notorious stash that the U.S. government apparently doesn’t want you to see: a cache of pornography. More on the bin Ladin book shelf here.

Yemen Cyber Army, Saudi and Wikileaks

Posted on by

Here it comes again, a major hack that took place earlier this month and the documents are in a pipeline to be published. Some are out there now.

From www.securityaffairs.co who I just interviewed for radio last week:

“We have gained access to the Saudi Ministry of Foreign Affairs (MOFA) network and have full control over more than 3000 computers and servers, and thousands of users. We also have access to the emails, personal and secret information of hundreds of thousands of their diplomats in different missions around the world.” states the group.

The following image was left on the PC of the employees at the Saudi foreign ministry on Thursday morning

Yemen Cyber Army vs Saudi Gov

More details here on the Yemen Cyber Army and the Saudi hack. The Yemen Cyber Army left behind these messages for file access as well:

OPERATION Name : “Syed Hussein Badreddin al-Houthi”
OPERATION Key  : b919117da9954bd82e65677cb240bbb3e4ddbd9ac93e10f0a399257ad54d851a

Saudi Arabia Ministry of Foreign Affairs Hacked By Yemen Cyber Army
All MOFA.GOV.SA Subdomains And Servers Hacked and HDD Encrypted
Allah is the enemy of those who oppress people

This is to convey a message to Saudi Dictators, if they’ve got a listening ear!

It’s us again, Yemen Cyber Army!

We are an Islamic Group who fights against you oppressors.

What you and your puppets commit in Yemen, Syria, Bahrain, Iraq and Lebanon, remind us of crimes your forefather Yazid-ibn-Muawiya committed in Karbala. And indeed you are good successors to him. You are ISIS and ISIS is you.

Never assume our calmness is due to weakness. We are oppressed! God will judge between you and us. As we never seek help from other than him.
You are pagan oppressors as you always fawn for US and Israel, that’s what you deserve.
So congratulations to those who achieve martyrdom in fight against pagan oppressors.

“And never think of those who have been killed in the cause of Allah as dead. Rather, they are alive with their Lord, receiving provision ”

Our cyber operation is just started and by the grace of God we are expecting the Saudi regime’s collapse by the “Labbaik Ya-Hossain” slogan.
This second operation is blessed by the name of martyred “Syed Hussein Badreddin al-Houthi” and is going to be a beginning to Saudi’s overthrow, Inshallah.

We have gained access to the Saudi Ministry of Foreign Affairs (MOFA) network and have full control over more than 3000 computers and servers, and thousands of users. We also have access to the emails, personal and secret information of hundreds of thousands of their diplomats in different missions around the world.

We publish only few portions of vital information we have, just to let them know that “truly the flimsiest of houses is the spider´s house”

Some portions of visa secret information, thousands of documents from the MOFA’s automation system and secret emails will be published gradually so as to keep Saudi puppets always in fear of their identity disclosure.

This way they might slightly come to know how it feels when our innocent women and children rush into havens crying and looking for their beloved once in dark.

And that’s not all! All your computers will be automatically wiped on Wednesday – 2015 20 May and at 12:00 to become a lesson for oppressors.

We have the same access to the Interior Ministry (MOI) and Defense Ministry (MOD) of which the details will be published in near future. Wish such shocking news make Saudi dictators to come to their senses and recapture those young wild dogs’ leash to avoid Muslims exploiting hate against Saudi family.
If you did not stop attacks on Muslims in Yemen, do not blame anyone but yourself and expect greater harms.
Files PASSWORD : [email protected]

Your Network Hacked By Yemen Cyber Army
We Are Cutting Sword of Justice
All Your Data is Encrypted and You Can’t Access Them without Key
Find Out the Decryption Key This Way :
Number of Yemeni Children Killed in Saudi Air Attacks   +
Number of Yemeni Homes Destroyed By Saudi-USA Bombs   –
Number of Saudis Killed By Yemenis   –
Number of Israeli Soldiers Killed by Saudi and Arab Union in 1984!!!!

#OPSAUDI
#YEMEN_UNDER_ATTACK
#OPKSA

We Are Anonymous
We Are Everywhere
We Are Legion
We do Not Forgive
We do Not Forget
Stop Attacking To Our Country!

****

Now enter the documents and Wikileaks.

WikiLeaks says it’s leaking over 500,000 Saudi documents

ISTANBUL (AP) — WikiLeaks is in the process of publishing more than 500,000 Saudi diplomatic documents to the Internet, the transparency website said Friday, a move that echoes its famous release of U.S. State Department cables in 2010.

WikiLeaks said in a statement that it has already posted roughly 60,000 files. Most of them appear to be in Arabic.

There was no immediate way to verify the authenticity of the documents, although WikiLeaks has a long track record of hosting large-scale leaks of government material. Many of the documents carried green letterhead marked “Kingdom of Saudi Arabia” or “Ministry of Foreign Affairs.” Some were marked “urgent” or “classified.” At least one appeared to be from the Saudi Embassy in Washington.

If genuine, the documents would offer a rare glimpse into the inner workings of the notoriously opaque kingdom. They might also shed light on Riyadh’s longstanding regional rivalry with Iran, its support for Syrian rebels and Egypt’s military-backed government, and its opposition to an emerging international agreement on Tehran’s nuclear program.

One of the documents, dated to 2012, appears to highlight Saudi Arabia’s well-known skepticism about the Iranian nuclear talks. A message from the Saudi Arabian Embassy in Tehran to the Foreign Ministry in Riyadh describes “flirting American messages” being carried to Iran via an unnamed Turkish mediator.

Another 2012 missive, this time sent from the Saudi Embassy in Abu Dhabi, said the United Arab Emirates was putting “heavy pressure” on the Egyptian government not to try former president Hosni Mubarak, who had been overthrown in a popular uprising the year before.

Some of the concerns appear specific to Saudi Arabia.

In an Aug. 14, 2008 message marked “classified and very urgent,” the Foreign Ministry wrote to the Saudi Embassy in Washington to warn that dozens of students from Saudi Arabia and other Gulf countries had visited the Israeli Embassy in the U.S. capital as part of an international leadership program.

“They listened to diplomats’ briefings from the embassy employees, they asked questions and then they took pictures,” the message said, asking the embassy for a speedy update on the situation.

Another eye-catching item was a document addressed to the interior and justice ministers notifying them that a son of Osama bin Laden had obtained a certificate from the American Embassy in Riyadh “showing (the) death of his father.”

Many more of the dozens of documents examined by The Associated Press appeared to be the product of mundane administrative work, such as emails about setting up a website or operating an office fax machine.

The AP was able to partially verify a handful of documents’ authenticity by calling the telephone numbers included in many of them. WikiLeaks spokesman Kristinn Hrafnsson told AP he was confident that the material was genuine.

It is not clear how WikiLeaks got the documents, although in its statement the website referred to a recent electronic attack on the Saudi Foreign Ministry by a group calling itself the Yemen Cyber Army. Hrafnsson declined to elaborate on the statement or say whether the hackers subsequently passed documents on to WikiLeaks.

“As a matter of policy we’re not going to discuss the source of the material,” he said.

The Saudi Embassy in Washington did not immediately return repeated messages seeking comment.

In its statement, WikiLeaks said the release coincided with the three-year anniversary of its founder, Julian Assange, seeking asylum in the Ecuadorian Embassy in London.

Assange took refuge in the embassy to avoid extradition to Sweden, where he is wanted for questioning about alleged sex crimes. Assange has denied any wrongdoing.  To access: WikiLeaks’ Saudi Cables site: https://wikileaks.org/saudi-cables/

 

 

Chinese Intelligence at Center of OPM Hack

Posted on by

First reported there was Anthem, one of the largest healthcare providers that was hacked. 80 million personal records were compromised. What is notable is Anthem is part of the Blue Cross Blue Shield health coverage network and even more concerning is BCBS provides coverage to more that half of the federal government workforce.

Take note of the following fro Threatconnect.com:

“Anthem Themed Infrastructure & Signed Malware:
In September 2014, the ThreatConnect Intelligence Research Team (TCIRT) observed a variant of the Derusbi APT malware family, MD5: 0A9545F9FC7A6D8596CF07A59F400FD3, which was signed by a valid digital signature from the Korean company DTOPTOOLZ Co. Derusbi is a family of malware used by multiple actor groups but associated exclusively with Chinese APT. TCIRT began tracking the DTOPTOOLZ signature for additional signed malware samples and memorialized them within our Threat Intelligence Platform over time.
Analyst Comment: The DTOPTOOLZ signature has also been observed in association with Korean Adware that is affiliated with the actual DTOPTOOLZ Co. This adware should not be confused with the APT malware that is abusing the same digital signature.
Later, in mid-November we discovered another implant that was digitally signed with the DTOPTOOLZ signature. This implant, MD5: 98721c78dfbf8a45d152a888c804427c, was from the “Sakula” (aka. Sakurel) family of malware, a known variant of the Derusbi backdoor, and was configured to communicate with the malicious command and control (C2) domains extcitrix.we11point[.]com and www.we11point[.]com. Through our Farsight  Security passive DNS integration, we uncovered that this malicious infrastructure was likely named in such a way to impersonate the legitimate Wellpoint IT infrastructure.”

This brings us to the hack or rather simply sign-on as a root user of the 14 million personnel records of Office of Personnel Management (OPM) located in Colorado.

From Reuters:

U.S. employee data breach tied to Chinese intelligence

The Chinese hacking group suspected of stealing sensitive information about millions of current and former U.S. government employees has a different mission and organizational structure than the military hackers who have been accused of other U.S. data breaches, according to people familiar with the matter.

While the Chinese People’s Liberation Army typically goes after defense and trade secrets, this hacking group has repeatedly accessed data that could be useful to Chinese counter-intelligence and internal stability, said two people close to the U.S. investigation.

Washington has not publicly accused Beijing of orchestrating the data breach at the U.S. Office of Personnel Management (OPM), and China has dismissed as “irresponsible and unscientific” any suggestion that it was behind the attack.

Sources told Reuters that the hackers employed a rare tool to take remote control of computers, dubbed Sakula, that was also used in the data breach at U.S. health insurer Anthem Inc last year.

The Anthem attack, in turn, has been tied to a group that security researchers said is affiliated with China’s Ministry of State Security, which is focused on government stability, counter-intelligence and dissidents. The ministry could not immediately be reached for comment.

In addition, U.S. investigators believe the hackers registered the deceptively named OPM-Learning.org website to try to capture employee names and passwords, in the same way that Anthem, formerly known as Wellpoint, was subverted with spurious websites such as We11point.com, which used the number “1” instead of the letter “l”.

Both the Anthem and OPM breaches used malicious software electronically signed as safe with a certificate stolen from DTOPTOOLZ Co, a Korean software company, the people close to the inquiry said. DTOPTOOLZ said it had no involvement in the data breaches.

The FBI did not respond to requests for comment. People familiar with its investigation said Sakula had only been seen in use by a small number of Chinese hacking teams.

“Chinese law prohibits hacking attacks and other such behaviors which damage Internet security,” China’s Foreign Ministry said in a statement. “The Chinese government takes resolute strong measures against any kind of hacking attack. We oppose baseless insinuations against China.”

MANY UNKNOWNS

Most of the biggest U.S. cyber attacks blamed on China have been attributed, with varying degrees of certitude, to elements of the Chinese army. In the most dramatic case two years ago, the U.S. Justice Department indicted five PLA officers for alleged economic espionage.

Far less is known about the OPM hackers, and security researchers have differing views about the size of the group and what other attacks it is responsible for.

People close to the OPM investigation said the same group was behind Anthem and other insurance breaches. But they are not yet sure which part of the Chinese government is responsible.

“We are seeing a group that is only targeting personal information,” said Laura Gigante, manager of threat intelligence at FireEye Inc, which has worked on a number of the high-profile network intrusions.

CrowdStrike and other security companies, however, say the Anthem hackers also engaged in stealing defense and industry trade secrets. CrowdStrike calls the group “Deep Panda,” EMC Corp’s RSA security division dubs it “Shell Crew,” and other firms have picked different names.

The OPM breach gave hackers access to U.S. government job applicants’ security clearance forms detailing past drug use, love affairs, and foreign contacts that officials fear could be used for blackmail or recruiting.

In contrast to hacking outfits associated with the Chinese army, “Deep Panda” appears to be affiliated with the Ministry of State Security, said CrowdStrike co-founder Dmitri Alperovitch.

Information about U.S. spies in China would logically be a top priority for the ministry, Alperovitch said, adding that “Deep Panda’s” tools and techniques have also been used to monitor democracy protesters in Hong Kong.

An executive at one of the first companies to connect the Anthem and OPM compromises, ThreatConnect, said the disagreements about the boundaries of “Deep Panda” could reflect a different structure than that in top-down military units.

“We think it’s likely a cohort of Chinese actors, a bunch of mini-groups that are handled by one main benefactor,” said Rich Barger, co-founder of ThreatConnect, adding that the group could get software tools and other resources from a common supplier.

“We think this series of activity over time is a little more distributed, and that is why there is not a broad consensus as to the beginning and end of this group.”