FireEye Identifies Chinese Group Behind Federal Hack

Computer security firm FireEye has identified a Chinese group that may have carried out a devastating hacking attack against the U.S. Office of Personnel Management last year, leading to the theft of information on millions of federal employees and retirees. The hack was first disclosed earlier this month.

The group, based in China, is not the one known as “Deep Panda” that has been tied to the Chinese military and an attack on insurer Anthem Health earlier this year. It is instead another group whose activities FireEye has monitored since 2013 and that specializes in attacks that are meant to gather troves of personally identifiable information, or PII. The group focuses its attention and efforts on the health insurance and travel industries. FireEye did not assign a name to the group.

“Unlike other actors operating in China who conduct industrial espionage or steal defense technology, this group has primarily targeted PII. Based on the tools and tactics, FireEye Intelligence thinks that the group who compromised OPM’s networks is different from the activity of Deep Panda.

“We think this group uses similar backdoors to Deep Panda to obtain access to a network, but then uses different tactics once they get access to the network,” said Mike Oppenheim, an intelligence operations manager for FireEye, in an interview with Re/code.

Laura Galante, FireEye’s director of threat intelligence, said the group is believed to be operating out of China, but it’s unclear what direction it may receive from government agencies. “That is an open question and we haven’t worked it out at this point,” she said.

The FBI has not yet publicly identified the culprit behind the attacks, but members of Congress — including Sen. Harry Reid, who receives briefings on sensitive intelligence matters — have mentioned on the Senate floor a Chinese role in the OPM attack.

The Chinese government has denied any connection to the attack. “The Chinese government takes resolute strong measures against any kind of hacking attack,” China’s Foreign Ministry told Reuters. “We oppose baseless insinuations against China.”

The FBI announced that it was investigating the attack on the OPM on June 4. Initial estimates said that information on more than four million people was stolen. A union representing federal workers said in a letter on June 11 that it believed information on many more people may be involved.

Deep Panda was so named by the security firm Crowdstrike.

Security firms and researchers often reach differing conclusions on the perpetrators of high-profile hacking attacks, and they often release conflicting reports. For example, some security firms dispute an FBI finding that hackers linked to North Korea carried out the attack on Sony Pictures Entertainment last year.

Correction: We previously misidentified Laura Galante as a FireEye spokeswoman. Also Crowdstrike didn’t implicate Deep Panda in the OPM attack, but it did give the group its name.

This article originally appeared on Recode.net.