The Chinese hacking group suspected of stealing sensitive information about millions of current and former US government employees has a different mission and organizational structure than the military hackers who have been accused of other US data breaches, according to people familiar with the matter.
While the Chinese People's Liberation Army typically goes after defence and trade secrets, this hacking group has repeatedly accessed data that could be useful to Chinese counter-intelligence and internal stability, said two people close to the US investigation.
Washington has not publicly accused Beijing of orchestrating the data breach at the US Office of Personnel Management, and China has dismissed as "irresponsible and unscientific" any suggestion that it was behind the attack.
Sources told Reuters that the hackers employed a rare tool to take remote control of computers, dubbed Sakula, that was also used in the data breach at US health insurer Anthem Inc disclosed this year.
The Anthem attack, in turn, has been tied to a group that security researchers said is affiliated with China's Ministry of State Security, which is focused on government stability, counter-intelligence and dissidents. The ministry could not immediately be reached for comment.
In addition, US investigators believe the hackers registered the deceptively named OPM-Learning.org website to try to capture employee names and passwords, in the same way that Anthem, formerly known as Wellpoint, was subverted with spurious websites such as We11point.com, which used the number "1" instead of the letter "l".
Both the Anthem and OPM breaches used malicious software electronically signed as safe with a certificate stolen from DTOPTOOLZ Co, a Korean software company, the people close to the inquiry said. DTOPTOOLZ said it had no involvement in the data breaches.
The FBI did not respond to requests for comment. People familiar with its investigation said Sakula had only been seen in use by a small number of Chinese hacking teams.
"Chinese law prohibits hacking attacks and other such behaviours which damage Internet security," China's Foreign Ministry said in a statement. "The Chinese government takes resolute strong measures against any kind of hacking attack. We oppose baseless insinuations against China."
Most of the biggest US cyber attacks blamed on China have been attributed, with varying degrees of certitude, to elements of the Chinese army. In the most dramatic case last year, the US Justice Department indicted five PLA officers for alleged economic espionage.
Far less is known about the OPM hackers, and security researchers have differing views about the size of the group and what other attacks it is responsible for.
People close to the OPM investigation said the same group was behind Anthem and other insurance breaches. But they are not yet sure which part of the Chinese government is responsible.
"We are seeing a group that is only targeting personal information," said Laura Galante, manager of threat intelligence at FireEye Inc, which has worked on a number of the high-profile network intrusions.
CrowdStrike and other security companies, however, say the Anthem hackers also engaged in stealing defence and industry trade secrets. CrowdStrike calls the group "Deep Panda," EMC Corp's RSA security division dubs it "Shell Crew," and other firms have picked different names.
The OPM breach gave hackers access to US government job applicants' security clearance forms detailing past drug use, love affairs, and foreign contacts that officials fear could be used for blackmail or recruiting.
In contrast to hacking outfits associated with the Chinese army, "Deep Panda" appears to be affiliated with the Ministry of State Security, said CrowdStrike co-founder Dmitri Alperovitch.
Information about US spies in China would logically be a top priority for the ministry, Alperovitch said, adding that "Deep Panda's" tools and techniques have also been used to monitor democracy protesters in Hong Kong.
An executive at one of the first companies to connect the Anthem and OPM compromises, ThreatConnect, said the disagreements about the boundaries of "Deep Panda" could reflect a different structure than that in top-down military units.
"We think it's likely a cohort of Chinese actors, a bunch of mini-groups that are handled by one main benefactor," said Rich Barger, co-founder of ThreatConnect, adding that the group could get software tools and other resources from a common supplier.
"We think this series of activity over time is a little more distributed, and that is why there is not a broad consensus as to the beginning and end of this group."