5 Jun 2015

Cyber attack: did a panda maul the US government?

The hacking of four million US government employees details is just the latest in a series of raids which suggest that a group of cyber criminals are hell-bent on hoovering up as much information as they can about Americans.


Back in January, a US tech security company reported that someone had hacked into a major US insurance company, Anthem Two days later, the details of 11m customers were taken from a healthcare provider called Premera Blue Cross.

In both cases, the hackers used their computers to set up websites with names that were slight distortions of the names of their targets (prennera.com instead of premera.com, for example).

So when the tech security company saw the hackers setting up websites with names that were slight corruptions of the Office of Personnel Management (OPM), it implied that the US government’s human resources agency was in the hackers’ sights.

Read more: US government cyber attack – the key questions

In the healthcare and insurance raids, the hackers used a piece of malicious software called Derusbi, which, as Microsoft says can be used to steal information from computers.

Other tech security firms have also been looking at Derusbi, and one has said it’s the favourite tool of a group they’ve nicknamed Deep Panda.

So if Derusbi was used to hit the OPM, and if Deep Panda was behind it, who’s controlling the panda? Lots of fingers are pointing at China. Its government has said that jumping to conclusions is “not responsible” and “counterproductive”.

Read more: state-level hacking – who’s got your back?

The problem is that, as good as the tech security researchers are, their evidence is often circumstantial: they look at hints inside the computer code that infects victims (hackers sometimes write notes to themselves in the code, hinting at their nationality), they look at who the targets are (the malicious software is often programmed to hit specific companies or groups), and they look at the location of the computers from which the attack was launched.

All of those evidential hints, though, can be spoofed by an attacker who wants to hide their true identity.

Follow @geoffwhite 247 on Twitter