Bloomberg reports that U.S. federal investigators probing the theft of 80 million Social Security records and other sensitive data from insurance giant Anthem Inc. are pointing the finger at state-sponsored hackers from China. Although unconfirmed, that suspicion would explain a confidential alert the FBI circulated last week warning that Chinese hackers were targeting personally identifiable information from U.S. commercial and government networks.
According to this story from Bloomberg’s Michael Riley and Jordan Robertson, “the attack appears to follow a pattern of thefts of medical data by foreigners seeking a pathway into the personal lives and computers of a select group — defense contractors, government workers and others, according to a U.S. government official familiar with a more than year-long investigation into the evidence of a broader campaign.”
While the story is light on details, it adds a bit more context to an FBI “flash alert” that KrebsOnSecurity obtained independently last week. The alert said the FBI has received information regarding a group of cyber actors who have compromised and stolen sensitive business information and Personally Identifiable Information (PII) from US commercial and government networks through cyber espionage.”
The alert notes that analysis of malware samples used in the attack indicate a significant amount of the computer network exploitation activities emanated from infrastructure located within China. The FBI said the tools used in the attack were referenced in open source reports on Deep Panda, a claim that also shows up in the Bloomberg piece. That story references data about Deep Panda from cybersecurity firm CrowdStrike, which specializes in attributing nation state-level attacks.
According to the FBI, Deep Panda has previously used Adobe Flash zero-day exploits in order to gain initial access to victim networks. While it may be unrelated, it’s worth noting that in the past two weeks alone, Adobe has shipped no fewer than three unscheduled, emergency updates to address Flash Player vulnerabilities that were being exploited in active attacks at the time Adobe released patches.
The FBI’s flash advisory continues:
“Information obtained from victims indicates that PII was a priority target. The FBI notes that stolen PII has been used in other instances to target or otherwise facilitate various malicious activities such as financial fraud though the FBI is not aware of such activity by this group. Any activity related to this group detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.”
In its own writeup on Deep Panda from mid-2014, CrowdStrike notes that “for almost three years now, CrowdStrike has monitored DEEP PANDA targeting critical and strategic business verticals including: government, defense, financial, legal, and the telecommunications industries. At the think tanks, [we have] detected targeting of senior individuals involved in geopolitical policy issues, in particular in the China/Asia Pacific region. DEEP PANDA presents a very serious threat not just to think tanks, but also multinational financial institutions, law firms, defense contractors, and government agencies.”
Leaving aside the question of whether state-sponsored Chinese hackers were in fact behind the Anthem breach, there are still many unanswered questions about this incident, such as when did Anthem find out about it? How long did the breach last? How did the attackers break in? What can other businesses learn from this incident to protect themselves?
Steve Ragan, a journalist who writes the Salted Hash blog for CSO Online, references a document he received from a trusted source that was reportedly sent as a memo from Anthem to its clients. That memo notes that the unauthorized activity seems to date back to at least December 10, 2014. That activity apparently continued undetected until January 27, 2015, meaning the attackers had access to Anthem’s customer database for more than a month before they were discovered.
The memo explains:
“On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate’s logon information. He had not initiated the query and immediately stopped the query and alerted Anthem’s Information Security department. It was also discovered the logon information for additional database administrators had been compromised.”
The notice from Anthem to its clients concludes that “the attacker had proficient understanding of the data platforms and successfully utilized valid databaes administrator logon information.”
As for how the attackers broke in, perhaps the FBI’s Flash warning on Deep Panda (PDF) holds some clues.
Incidentally, infosec professionals take note: Anthem is hiring. On Feb. 4, the same day that Anthem disclosed a breach at its “database warehouse” may have affected as many as 80 million consumers, it also posted a help wanted ad for a “Cloud Encryption Security Professional.”
Tags: Adobe Flash zero-day, anthem breach, Bloomberg, CrowdStrike, Deep Panda, fbi, Jordan Robertson, Michael Riley, Salted Hash Blog, Steve Ragan, wellpoint breach
How can an individual find out if his/her S.S. number was in this (or any) particular high-profile hack? Besides finding out AFTER the number was used to cause trouble. Is there any way to check?
Anthem has never cared about computer security. Around five years ago, it used a non-secure server to store the data for applicants. If that applicant became a customer, the data on the non-secure server was deleted, but if that applicant never became a customer, for whatever reason, the data sat there forever. And then that non-secure server was breached. The only thing that will resolve the situation is perp-walks of CEOs and CIOs who refuse to secure their systems. Insignificant fines and credit monitoring service subscriptions are clearly not sufficient.
“a non-secure server”
What does that even mean?
“Secure” isn’t a binary state.
To be fair, it sort of is a binary state. You either have secure – no ethernet / in a room with no physical entry / self contained power generation and cooling – or you have non-secure – everything that exists today.
Just because “secure” is unreasonably inconvenient for any practical use, doesn’t mean that the value of ‘secure’ isn’t boolean.
As previously mentioned, not the first time for Anthem. The other lack-of-security was 2010 and resulted in a $1.7 million fine. Apparently not enough punishment to encourage Anthem to fulfill its contractual agreement with customers. I agree, big dogs should go to jail for errors that harm large numbers of customers. Otherwise it’s just another tiny digit in risk/profit analysis.
Russia’s been attacking American Financial systems for fun and profit through their underground mafia organizations as a method of dissuading American bankers from involving themselves in Russian Affairs. Remember, when cash gets stolen, that weakens the banks as they have to find a way to pay for it; that hits their bottom line, and is the reason you see the interest rates on CD and money market accounts at all time lows.
Government is at the point it can’t print any more capital without pushing the lower 25% into starvation, and you do not want to do that in a country as armed at this.
China has taken notice, and they are finding sideband attacks against Americans are effective in compromising systems.
The FBI lost all it’s credibility after it claimed North Korea was behind the Sony Hack, when it was found out it was an employee related attack. Oops. Of Course, North Korea will play along on that one.
What a fucking nightmare.