arrestedYu Pingan, a Chinese malware intermediary, accused him of providing malware, including Sakula, to a Chinese hacking group that was used to hack several US companies and was linked to the theft of more than 20m documents from the US federal government’s Office of Personnel Management in 2015. How did the FBI identify Chinese hackers? According to FBI Special Agent Adam R.James
testimony, the FBI and the Pentagon’s Cybercrime Center relied on tracking CC domain names embedded in malicious programs and seizing electronic communications through search warrants, but the indictment did not identify the source of those seized electronic communications.
The case refers to four companies, representing A, B, C and D, that were hacked by Chinese hacking groups. Yu Pingan’s co-conspirators are referred to as unindicted co-conspirators 1 and 2. One malicious program discovered by Company A was Capstone.exe, which embedded A domain name hosted by A dynamic DNS service providercapstoneturbine.cechire.comThe person who bought the domain name identified himself as working for Capstone Trubine at www.capstonetrubine.com. Billing records and registration information show that “Unindicted Co-conspirator 1” took control of multiple dynamic domain accounts and purchased multiple CC domains embedded in the malware. On December 16, 2013, multiple domain names pointed to the same IP address 173.252.252.204. Seized communications show that Yu established contact with “Unindicted Conspirator 1” in April 2011, and on April 17, 2011, Yu told the other party that he had a Flash exploit that worked on three different browsers. Yu also established a relationship with “Conspiracy without Indictment 2” no later than April 2011, and on April 23, 2011, the two discussed providing Microsoft’s Internet Explorer exploit. Seized communications show that Yu was warned that his activities could draw the attention of the FBI. On November 10, 2011, according to communication “conspiracy not charged 1” tell Yu he controlled a south Korean official Microsoft domain and provides http://update.microsoft.kr/hacked.asp validation for each other, Unindicted Co-conspirator 1 said it could not be used to push fake updates but could be used for phishing attacks. Less than two weeks later, a version of Sakula was configured to use the Microsoft Korea domain name. In a draft dated around Dec. 25, 2012, Yu complained that “Unindicted Co-conspirator 1” had named a malicious file golds7n.txt under his screen name. Yu’s screen name is GoldSun and one of Sakula’s decryption keys is Goldsunfucker, he used to email [email protected]. Yu also provided “Co-conspirator Without Indictment 1” with other malware, including ADJESUS Domain and Hkdoor Hacker’s Door, which were sold through a penetration testing site called Penelab.com. Hkdoor was developed for the client Fangshou, And the “Unindicted Conspirator 1” used the name Fangshou. According to the resume seized by the FBI, Yu was born on Dec. 16, 1980, lived in Shanghai and was skilled in computer network security and programming.