While Anthem and the OPM are not mentioned by name in the high confidence alert by the FBI, the timing can’t be a coincidence. The key link though is the malware itself – Sakula.
The memo mentions Sakula directly, and includes 312 hashes of the malware. It isn’t clear if the hashes have been collected recently from systems at the OPM or Anthem however. While it’s possible they were – believable too – there isn’t any evidence supporting that line of thought.
Sakula is a RAT (Remote Access Trojan) and it’s been linked to the Anthem breach earlier this year by ThreatConnect, who concluded that the malware was using a stolen digital signature from the Korean company DTOPTOOLZ Co. and configured to communicate with extcitrix.we11point[.]com and www.we11point[.]com. – two command and control (C2) domains used by the attackers.
So if the FBI is publicly naming the malware used was Sakula, which we know is already tied to Deep Panda, then I wonder how long before the US government discloses China as the culprit behind the attacks?