# US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks **bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-** anthem-hacks/ Catalin Cimpanu By [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) August 26, 2017 01:00 AM 0 The FBI has arrested a Chinese national on accusations of distributing and infecting US companies with the Sakula malware, the same malware used in the OPM and Anthem hacks. The suspect's name is Yu Pingan, 26, of Shanghai. US authorities arrested Yu on Monday, August 21, at the Los Angeles airport, as the suspect entered the US to attend a security conference. ## Yu alleged criminal past tied to Sakula trojan [According to an official indictment, authorities accused Yu and two other unnamed co-](http://www.documentcloud.org/documents/3963927-Yu-Pingan.html) [conspirators of infecting four US companies with Sakula, a backdoor trojan.](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf) The US Department of Justice described Yu as a "malware broker" and charged him with the tool's distribution and four hacking charges. US authorities did not accuse Yu of creating Sakula, nor hacking OPM or Anthem. ----- Between 2014 and 2015, hackers stole the personal records of over 21 million government [employees from the US Office of Personnel Management (OPM), and over 80 million](https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach) [medical records from Anthem Inc., a US company that provides health insurance, including](https://en.wikipedia.org/wiki/Anthem_medical_data_breach) for several government agencies. ## Yu accused of using three zero-days, knowing of a fourth US cyber-security firms have accused Chinese state hackers of carrying out the OPM and Anthem breaches. They blamed a cyber-espionage unit named Deep Panda — also known as APT19. US authorities did not elaborate on Yu's connection to Deep Panda. Nonetheless, the indictment mentioned that Yu and his co-conspirators were in the possession of at least four [zero-days — CVE-2014-0322 (affecting IE10),](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0322) [CVE-2012-4969 (affecting IE6),](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4969) CVE-20124792 (affecting IE6), and an unidentified Flash Player zero-day that Yu mentioned in chat transcripts. The hacks for which Yu stands accused all took place before the OPM and Anthem breaches. Historically, security firms have observed the Sakula trojan used in nation-state cyber-espionage campaigns exclusively. Yu will be arraigned in court next week. On a side note, the video below gives a basic introduction into nation-state cyber-espionage campaigns. At 27:55, security expert The Grugq provides a very simple explanation of why Chinese hackers targeted OPM and Anthem. The rest of the video also explains how the Chinese cyber apparatus works, along with similar infrastructures in Russia and the US. ----- Watch Video At: https://youtu.be/wP2J9aYM6Oo ### Related Articles: [Hackers target Russian govt with fake Windows updates pushing RATs](https://www.bleepingcomputer.com/news/security/hackers-target-russian-govt-with-fake-windows-updates-pushing-rats/) [Chinese ‘Space Pirates’ are hacking Russian aerospace firms](https://www.bleepingcomputer.com/news/security/chinese-space-pirates-are-hacking-russian-aerospace-firms/) [Google: Chinese state hackers keep targeting Russian govt agencies](https://www.bleepingcomputer.com/news/security/google-chinese-state-hackers-keep-targeting-russian-govt-agencies/) [Cyberspies use IP cameras to deploy backdoors, steal Exchange emails](https://www.bleepingcomputer.com/news/security/cyberspies-use-ip-cameras-to-deploy-backdoors-steal-exchange-emails/) [US and allies warn of Russian hacking threat to critical infrastructure](https://www.bleepingcomputer.com/news/security/us-and-allies-warn-of-russian-hacking-threat-to-critical-infrastructure/) [APT](https://www.bleepingcomputer.com/tag/apt/) [Arrest](https://www.bleepingcomputer.com/tag/arrest/) [China](https://www.bleepingcomputer.com/tag/china/) [Cyber-espionage](https://www.bleepingcomputer.com/tag/cyber-espionage/) [Data Breach](https://www.bleepingcomputer.com/tag/data-breach/) [Hack](https://www.bleepingcomputer.com/tag/hack/) [USA](https://www.bleepingcomputer.com/tag/usa/) [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page. ----- [Previous Article](https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-25th-2017-crysis-and-ransomware-builders/) [Next Article](https://www.bleepingcomputer.com/news/software/chrome-testing-option-to-permanently-mute-audio-on-annoying-websites/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----