TLP AMBER ANNOUNCEMENT: On 22 August 2017, a Chinese national named Yu Pingan was arrested and charged with cyber intrusions into four U.S. corporations between 2011 and 2014 that included the use of Sakula malware, known for its use in the major breaches of Anthem patient records and the Office of Personnel Management (OPM). Yu Pingan operates under the principle persona “Goldsun.” Analysts believe (high confidence) that he is in fact the Goldsun that was active at the Chinese hacker website Xfocus.net from 2004 to 2009. He is credited with and likely authored several pieces of malware that he posted during this period. His real identity remained unknown, but email addresses in some of his posts correspond to other accounts identified in the charges that led to his arrest. The charges against Yu Pingan do not identify any organization he was working for nor any connection to the Chinese government. Wapack Labs believes with medium confidence that Yu is affiliated with the Chinese civilian hacker group Wekby. The Chinese Government has not issued any statements and there has been no coverage of his arrest in official media...READ MORE
Wapack Labs has cataloged and reported extensively on China, Wekby, APT, and cyber intrusions in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
This TLP AMBER report is available only to Red Sky Alliance members.
