Back in February, the ThreatConnect team conducted in-depth independent analysis of the Anthem breach, finding connections to amorphous Chinese APT activity. Although our primary concern at the time was with the malicious Wellpoint/Anthem and VAE, Inc. (a Federal contractor) command and control domains, we couldn’t help but notice a peculiar related OPM-themed domain, opm-learning[.]org. This finding was listed in our Anthem blog, and we have continued to monitor it in ThreatConnect since mid February.
The registration information for opm-learning[.]org was peculiar and unique for several reasons. First, it used a registrant email that included a pseudorandom 10 character gmx[.]com email address (i.e. firstname.lastname@example.org and tAPRhpALhl@gmx.com.)Additionally, the attackers used an Avengers-themed naming convention (i.e. tony stark and Steve Rogers) for the registrant name. We’ve documented the pseudorandom gmx registrant email tactic in the past, and our partners at CrowdStrike were the first to detail the Avengers theme. Both are known to be telltale signs of Chinese APT activity.
Given that the registration information was so unique, we had strong suspicions that we may be able to uncover affiliated infrastructure if we were to query to search for similar domains that also use the aforementioned tactics and naming conventions. Working with our friends at DomainTools, we were able to discover an additional OPM-themed domain: opmsecurity[.]org.
Due to the OPM themed infrastructure, the use of a gmx registrant email and the use of Avengers-themed naming convention for the registrant information, we are confident that opmsecurity and opm-learning are related.
Here is a quick list of all affiliated domains utilizing this gmx and Avengers tradecraft:
In light of the news of the OPM breach targeting PIIs, it appears that our original suspicions about this Chinese APT group targeting healthcare providers as a means to target Federal Government employees in particular – likely for the purposes of secondary electronic targeting, blackmail or coercion – were becoming truth.
As this situation develops, we will be sharing additional analysis. For the time being, please refer to our original research, posted on February 27th, which is presented below for your convenience:
One notable pattern was how the domain Whois registration information for the VAE, Inc. themed infrastructure was quickly updated and obfuscated with pseudorandom 10 character gmx.com email addresses and using the names of various comic book characters from the Iron Man franchise. This comic-themed naming convention has been previously documented by our friends at Crowdstrike in what they characterize as being associated with a Chinese APT group they have dubbed “Deep Panda”.
Leveraging our DomainTools partnership, we were able to correlate the outlier domain opm-learning[.]org. This domain was also purportedly registered by the Iron Man movie hero “Tony Stark” on July 28, 2014. This infrastructure naming convention suggests a possible Office of Personnel Management (OPM) theme. However, in this case we lacked any specific sample of malware to verify our initial suspicions that this infrastructure was operational. The possible OPM reference in the domain name is noteworthy considering it was revealed in July of 2014 that OPM had been compromised by a likely state-sponsored Chinese actor in mid-March of that year. The fact this domain was registered after the breach occurred suggests that OPM could be an ongoing direct target of Chinese state-sponsored cyber espionage activity.
Our attention then turned to the FBI Flash Report A-000049-MW that was publicly reported by Brian Krebs on February 6th, 2015. This FBI Flash Report was issued on January 27th, 2015, the same day an Anthem administrator detected suspicious activity according to an internal memo. This memo goes on to indicate that the FBI would not be party to the Anthem breach until they were notified on January 29th, 2015; based on these facts we assess with high confidence that it is very unlikely that the FBI Flash Report was directly related to the Anthem breach. Rather, we suspect that the FBI flash report likely references the USIS breach that was announced on August 6, 2014, or the previous OPM breach, considering the statement that the breach involved“compromised and stolen sensitive business information and Personally Identifiable Information (PII) from US commercial and government networks through cyber espionage.”
The malware referenced within the FBI Report is associated with a Derusbi backdoor subvariant named “InfoAdmin” / “Kakfum” where the FBI specifically references open source reporting of “Deep Panda” as being related to the malware observed in the attack. The malicious infrastructure highlighted in the report are the domains images.googlewebcache[.]com and smtp.outlookssl[.]com. Both of these top level domains were included with other related domains, all of which were shared on September 16th, 2013 to the ThreatConnect Subscriber Community in Incident 20130823C: Some.Trouble APT Domains, roughly a year and half prior to the FBI Flash report.
It is important to mention that both the domains images.googlewebcache[.]com and smtp.outlookssl[.]comas were also previously identified in an October 2014 PwC blog post as seen within Cluster 1 of the Scanbox framework, while the Sakula activity with we11point and VAEIT is contained within Cluster 2 of that report. This implies that the actor referenced within the FBI Flash report uses shared capabilities (in this case the ScanBox kit) with the Sakula / we11point actor.
In review, ThreatConnect identified a domain opm-learning[.]org that had a similar superhero themed WHOIS registrant to the Sakula / VAE Inc. infrastructure. The possible OPM reference is noteworthy considering the Office of Personnel Management (OPM) was compromised in March 2014. Additionally, an FBI Flash Report 0000-49MW referenced indicators that were possibly associated with the USIS hack and a Derusbi variant called “Kakfum” / “InfoAdmin”. Both the FBI Flash infrastructure and the Sakula / VAE Inc. infrastructure are tied to the capability usage of the ScanBox framework, residing in Clusters 1 and 2 respectively.
Want to learn more and follow the latest updates? Register for a free organization account of ThreatConnect fill out the form below to get started.