Recent Cyberattacks Only the Beginning, as State Hackers Target Data on Americans

August 3, 2015 Updated: August 6, 2015

There is a new trend in cyberattacks, and recent breaches that stole tens of millions of records on Americans are just the beginning as state hackers shift their targets.

Only recently, hackers tied to the Chinese military were targeting intellectual property and other data that could be used for monetary gain. Now, they’re going after information with little value outside the spy world.

“We’re seeing a paradigm shift in the type of data [they’re targeting],” said Eric Devansky, director of global security services for TruShield Security, a risk assessment and security firm.

Among the recent breaches was the attack on the Office of Personnel Management, where hackers stole background checks on potentially 21.5 million U.S. federal employees. Before that, hackers stole an estimated 80 million records on Americans from health care company Anthem Inc.

According to Devansky, these attacks are not one-offs. They represent a new trend in cyberattacks, and it’s highly unlikely the hackers will stop there.

The main target, he said, are likely services used frequently by federal employees. The connection between previous attacks is the databases have different information on the same individuals.

The hackers are likely helping the Chinese regime develop a more complete profile of people they can target for spying.

A source close to the matter told Epoch Times in a previous interview that the Chinese Communist Party (CCP) is building a database on Americans.

To sift through the data, the source said, the CCP is using the same software as its domestic spy program, the Social Credit System, which creates linking profiles on all Chinese citizens and gathers information on them from nearly all Chinese commercial services, and from all police and spy agencies.

An Emerging Pattern

The most recent target of this group may be an alleged cyberattack on United Airlines. Bloomberg reported on July 29 the hackers stole flight data, which included flight records on passengers.

United Airlines hasn’t clearly denied the attack, but in an emailed statement Luke Punzenberger, from its communications department, said the Bloomberg report was “based on pure speculation.” He adds, “We can assure our customers that their personal information is secure.”

While Bloomberg cited anonymous sources familiar with the probe, and its findings cannot be independently confirmed, the reports align with what Devansky said is an emerging trend that could soon include a long list of other targets.

In the case of United Airlines, he said, the cyberspies may be “looking at travel profiles, of where you’re going and where you’re coming from.” Given that United Airlines is a contractor with the U.S. government, and is used frequently by federal employees, he said it fits into the broader picture.

Devansky said his security company has strong evidence that the attacks are coming from China, noting “we have very good information through the networks TrueShield monitors, there is a very likely link between several of these recent attacks.”

According to networks monitored by his company, he said, recent breaches that targeted data on Americans “are from one foreign agent—and its in China.”

While he couldn’t give details due to nondisclosure agreements with clients, Devansky said the recent attacks use “the same vectors of attack and the same trojans,” noting “We are also drawing links between the types of data that’s being hit.”

Some of the evidence, he notes, has been found by other security researchers. The cyberattacks were carried out with a specific remote access trojan (RAT) known as “Sakula.” Hackers can gain control over infected computer by using RATs.

The Sakula trojan is used by a group of Chinese state hackers, which security researchers have given several names, including Deep Panda, Axiom, and Group 72.

A graphic created for a security report on the Chinese hacker group Deep Panda. Security company CrowdStrike exposed the group in November 2014. (CrowdStrike)
A graphic created for a security report on the Chinese hacker group Deep Panda. Security company CrowdStrike exposed the group in November 2014. (CrowdStrike)

Deep Panda was identified in November 2014 by security company CrowdStrike. At the time, it already had a long list of victims, which do not appear to have been disclosed. Among the victims, CrowdStrike reported, were U.S. defense contractors, health care companies, government agencies, and technology companies.

The string of attacks were tied together by CrowdStrike in November 2014 by looking at the unique methodologies the hackers used across all attacks. TruShield Security is looking at similar patterns in the recent attacks.

The type of data being targeted raises new concerns, not just for government, but for everyone with a computer. Devansky said in a world where a large number of websites and services have sensitive data on people, “it puts the problem right on your doorstep.”

“I think we’re wholly unprepared for the challenges we’re facing right now,” he said.

Soon, he said, “any organization that houses data on people is going to need to have the capability to detect and respond to a breach.”

Follow Joshua on Twitter: @JoshJPhilipp