China national held in US over links to cyber attacks

He is accused of providing malware tied to hacking of computers of US firms and govt

NEW YORK •The US authorities have accused a Chinese national visiting the United States of providing malware that has been linked to the theft of security clearance records of millions of American government employees.

Yu Pingan of Shanghai was arrested on Monday at Los Angeles International Airport after a federal criminal complaint accused him of conspiring with others wielding malicious software known as Sakula, a Justice Department spokesman said on Thursday.

The complaint said the group attacked a series of unnamed US companies using Sakula, the same rare program involved in US Office of Personnel Management (OPM) hacks detected in 2014 and 2015. The filing did not mention the OPM incidents but the arrest could provide information on the hacks, which US officials have blamed on the Chinese government.

In a Federal Bureau of Investigation (FBI) affidavit linked to the complaint, an FBI agent said he believed Yu provided to two unnamed men versions of Sakula that he knew would be used to carry out attacks on the firms.

According to the complaint, Yu, who lives in Shanghai, was an expert in computer network security and computer programming. His lawyer, Mr Michael Berg, said he was a computer science teacher.

Yu, who goes by the online alias "goldsun", sold various hacking tools, including zero-day exploits that allowed other hackers to remotely seize control of victims' computers and websites, the complaint said.

Mr Berg said Yu had no affiliation with China's government. "He says he has no involvement in this whatsoever," the lawyer said, adding that Yu went to Los Angeles for a conference.

The Justice Department and San Diego FBI declined to comment further.

The court filings said Sakula had rarely been seen before the attacks on US companies, and Yu knew the software he was providing would be used in the hacks carried out between 2010 and 2015. Though the victims are not named, some companies appeared to be in the aerospace and energy industries.

Mr Adam Meyers, vice-president of US security firm CrowdStrike, said software flaws and one of the Internet protocol addresses cited in the complaint matched up with attacks on a US turbine manufacturer, Capstone Turbine, and a French aircraft supplier.

Mr Meyers said Sakula could be used by multiple groups, but that all of the known targets would be of interest to the Chinese government.

The OPM breach was a subject of US-China talks, and the Chinese government previously told American diplomats it had arrested some criminals in the case.

Yu remains in jail pending a court hearing on his detention next week.


A version of this article appeared in the print edition of The Straits Times on August 26, 2017, with the headline 'China national held in US over links to cyber attacks'. Print Edition | Subscribe