FBI Warns U.S. Companies to Be Ready for Chinese Hack Attacks

In a message obtained by The Daily Beast, the bureau strongly implies Beijing was behind the massive hack that exposed U.S. government employees’ secrets—and U.S. companies are next.

Within the U.S. government, there’s a debate about who’s responsible for the massive hack of federal employees’ darkest secrets. The FBI on Wednesday weighed in with its own answer, strongly implying that it was the work of China.

The FBI is warning U.S. companies to be on the lookout for a malicious computer program that has been linked to the hack of the Office of Personnel Management. Security experts say the malware is known to be used by hackers in China, including those believed to be behind the OPM breach.

The FBI warning, which was sent to companies Wednesday, includes so-called hash values for the malware, called Sakula, that can be used to search a company’s systems to see if they’ve been affected.

The warning, known as an FBI Liaison Alert System, or FLASH, contains technical details of the malware and describes how it works. While the message doesn’t mention the OPM hack, the Sakula malware is used by Chinese hacker groups, according to security experts. And the FBI message is identical to one the bureau sent companies on June 5, a day after the Obama administration said the OPM had been hacked, exposing millions of government employees’ personal information. Among the recipients of both alerts are government contractors working on sensitive and classified projects.

Director of National Intelligence James Clapper has publicly called China the “leading suspect” in the OPM hack, but he hasn’t offered any evidence publicly to substantiate those claims. Devin Nunes, the chairman of the House Intelligence Committee, has said the jury is still out on whether China is to blame.

In an email obtained by The Daily Beast, the FBI said it was sending the alert again because of concerns that not all companies had received it the first time. Apparently, some of their email filters weren’t configured to let the FBI message through.

The FLASH alert says the bureau has identified “cyber actors who have compromised and stolen sensitive business information and personally identifiable information,” which includes names, dates of birth, and Social Security numbers. The message notes that this information was a “priority target” of the hackers and that such data are frequently used for financial fraud. But “the FBI is not aware of such activity by these groups,” the message says.

Experts believe the data stolen from OPM is being compiled for espionage purposes, including targeting U.S. government employees and contractors who have access to classified information and could be blackmailed or recruited as spies.

The message also described the malware as being designed to copy information and send it to another computer, presumably being operated by a hacker. The Sakula malware has been linked to a breach of patient records at the health insurer Anthem. Some experts now believe the hackers who pulled off that breach are the same ones who penetrated the OPM’s computers.

The alert comes as Obama administration officials have been briefing members of Congress and their staff about the extent of the OPM hack. The Daily Beast reported earlier that the hackers had compromised so-called adjudication information, which includes revealing details, gleaned from background investigations, about government employees’ sex lives, their history of drug and alcohol use, and their financial problems. The OPM hack has also raised questions about whether the personnel records of intelligence agency employees, including covert operatives, were compromised.