[nonrelevant] 2019 military hacking quip article online

Mon Dec 28 09:13:35 PST 2020

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 28, 2020 4:10 AM, Karl <gmkarl at gmail.com> wrote:

...
> always sketchy when somebody says it's known who did an international
> hack. implies either international hackers don't know how to actually
> hide who they are, government security workers place blame too
> readily, the public is being lied to, or the international security
> communities are staring at each oter all day, letting each other do
> everything, only stopping it afterwards. or all of those, i suppose.
> am i wrong?

you're right. i should have said *most likely* china.

the way they (industry) attribute hacks is multifaceted. some information comes from the exploits used, which give clues to nationality, past activity, and technical capability.

the best hints are given by underlying infrastructure. if China builds an infrastructure to attack target X, Y, Z, then that same infrastructure attacks Q, you know that Q was attacked by China. (most likely :P

often, threat actors will disguise their attacks to *look* like another, like when Russia hacked the Olympics, and tried to make it look like North Korea (using parts of old NK exploit code to do so.)

the wikipedia page does a good job summarizing the evidence:
"""
The overwhelming consensus is that the cyberattack was carried out by state-sponsored attackers for the Chinese government.[4] The attack originated in China,[6] and the backdoor tool used to carry out the intrusion, PlugX, has been previously used by Chinese-language hacking groups that target Tibetan and Hong Kong political activists.[4] The use of superhero names is also a hallmark of Chinese-linked hacking groups.[4]

The House Committee on Oversight and Government Reform report on the breach strongly suggested the attackers were state actors due to the use of a very specific and highly developed piece of malware.[8] U.S. Department of Homeland Security official Andy Ozment testified that the attackers had gained valid user credentials to the systems they were attacking, likely through social engineering. The breach also consisted of a malware package which installed itself within OPM's network and established a backdoor. From there, attackers escalated their privileges to gain access to a wide range of OPM's systems. Ars Technica reported that at least one worker with root access to every row in every database was physically located in China. Another contractor had two employees with Chinese passports.[26]

China denied responsibility for the attack.[27]

In 2017, Chinese national Yu Pingan was arrested on charges of providing the "Sakula" malware used in the OPM data breach and other cyberintrusions.[10][11] The FBI arrested Yu at Los Angeles International Airport after he had flown to the U.S. for a conference.[10][11] Yu spent 18 months at the San Diego federal detention center and pleaded guilty to the federal offense of conspiracy to commit computer hacking and was subsequently deported to China.[11] He was sentenced to time served in February 2019 and permitted to return to China; by the end of that year, Yu was working as a teacher at the government-run Shanghai Commercial School in central Shanghai.[11] Yu was sentenced to pay $1.1 million in restitution to companies targeted by the malware, although there is little possibility of actual repayment.[11] Yu was one of a very small number of Chinese hackers to be arrested and convicted in the U.S.; most hackers are never apprehended.
"""
- https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

best regards,