Threat Alert: OPM Tools

EXECUTIVE SUMMARY -The breach in the U.S. Office of Personnel Management (OPM) had compromised the personal information of millions of Americans. -There were two attacks by suspected Chinese hackers on personnel data and applications for security clearances. -The massive data breach is now believed to have affected well over 10 million separate users. -This alert lists the tools used in these attacks as well as Check Point coverage for these tools.   DESCRIPTION FBI Alert Summary

  • The FBI has obtained information regarding cyber actors who have compromised and stolen sensitive business information and Personally Identifiable Information (PII).
  • Information obtained from victims indicates that PII was a priority target. The FBI notes that stolen PII has been used in other instances to target or otherwise facilitate various malicious activities such as financial fraud though the FBI is not aware of such activity by these groups.
  • Any activity related to these groups detected on a network should be considered an indication of a compromise requiring extensive mitigation.

Technical Details

  • Groups responsible for these activities have been observed across a variety of intrusions leveraging a diverse selection of tools and techniques to attempt to gain initial access to a victim, including using credentials acquired during previous intrusions. These groups have also been observed compromising using the technique of DNS hijacking facilitated through the compromise of DNS registrars.
  • The Remote Access Tools (RAT) used in those attacks include: Sakula, FF RAT, Trojan.IsSpace and Trojan.BLT.

CHECK POINT COVERAGE Check Point protects its customers from these tools with the Anti Bot and Anti-Virus blades, which include relevant signatures and indicators, among them:

  • Trojan.Win32.Sakula.*
  • Trojan.Win32.BLT.*