Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Anthem Breach: Chinese Hackers Involved?

Experts Urge Skepticism About Quick Attribution of Attack
Anthem Breach: Chinese Hackers Involved?

As the investigation into the massive data breach at Anthem Inc. progresses, investigators have found that the tools, tactics and infrastructure used in the attack suggest it was the work of hackers operating from China, according to some news reports. But security experts are skeptical about any effort to quickly assign blame for the attack.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

The breach of Anthem exposed a database containing personally identifiable information, reportedly for as many as 80 million individuals in the United States. The incident makes it crystal clear that the healthcare sector has become a new favorite target for hackers (see: Anthem Breach Sounds Healthcare Alarm).

Two $5 billion class action lawsuits have already been filed against Anthem. The suits, filed in California and Alabama federal courts, allege that Anthem failed to protect plaintiffs' private information, putting them at risk for identity theft and other fraud.

The digital forensics team investigating the breach has found technical indications that suggest the attack was the work of a nation state, and one early suspect is China, Bloomberg reports, citing two unnamed people with knowledge of the investigation.

But numerous information security experts have recommended treating such reports with skepticism. "And later today someone else will (a) blame Russia, (b) blame DPRK [North Korea] in retaliation for sanctions, or (c) Iran," says information security consultant and Europol cybersecurity advisor Brian Honan.

The government of China has denied having any involvement in the Anthem hack, with Chinese Foreign Ministry spokesman Hong Lei calling such accusations "groundless," and saying Beijing is a victim - not instigator - of online attacks, The Wall Street Journal reports.

Numerous attacks that are attributed to nation states may in fact be the work of independent mercenary groups, cybersecurity consultancy Taia Global says in a recently released report.

Stored Data Not Encrypted

One key factor in the breach that's been confirmed is that the affected database was not encrypted.

Government agencies and employers "require us to maintain a member's Social Security number in our systems so that their systems can uniquely identify their members," Anthem spokeswoman Kristin Binns told The Wall Street Journal, explaining why so much data was being stored. But she said that while personal data was encrypted in transit - when being moved in or out of a database - it was not encrypted when being stored.

Given the potential value of the stolen information, the revelation that Anthem was failing to encrypt sensitive data when it was being stored has been criticized by numerous information experts.

But encryption is no silver bullet against data breaches, security experts say. "Protecting large databases like Anthem's is a challenge," says Columbia University computer networking and security professor Steve Bellovin in a blog post. "In a case like the Anthem breach, the really sensitive databases are always in use. This means that they're effectively decrypted: the database management systems (DBMS) are operating on cleartext, which means that the decryption key is present in RAM somewhere." While access-control systems might prevent an attacker from grabbing that key, keeping such environments secure is not a trivial task.

"We need better software security, and we need better structural tools to isolate the really sensitive data from average, poorly protected machines," Bellovin says. "There may even be a role for encryption, but simply encrypting the Social Security numbers isn't going to do much."

One option, he says, is to store more data in the cloud, because it can be easier to secure there - and Anthem may already be thinking along these lines. On Feb. 4, Anthem posted a job listing for a Cloud Encryption Security Professional.

Breach Discovery Timeline

Anthem first detected unusual activity inside its network on Jan. 27 and verified the intrusion on Jan. 29, Bloomberg reports. The company has yet to disclose when the initial intrusion began, and security experts have said the organization may not yet know.

The FBI is investigating the breach, and Anthem has hired FireEye company Mandiant to assist. The bureau has also lauded Anthem for quickly informing it of the intrusion. "Anthem's initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances," the FBI says in a statement provided to Bloomberg. "Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible."

Anthem CIO Thomas Miller told The Wall Street Journal that information on "tens of millions" of consumers may have been stolen from the breached database. He also said that the attack was first noticed when an administrator found that his database identifier code was being used to run database queries that he hadn't launched. He says the company's investigators found that the data had been exfiltrated to a popular online storage site, which he declined to name.

The breach comes at an awkward time for Anthem, which is trying to sign up new health insurance plan customers in advance of the Affordable Care Act's 2015 enrollment deadline of February 15.

FBI Alert: Deep Panda

The Anthem breach report follows a confidential FBI flash alert, issued last week, which warned of an increase in attacks that have stolen "sensitive business information and Personally Identifiable Information (PII) from U.S. commercial and government networks through cyber espionage," according to a copy of the alert, which was published by security journalist Brian Krebs.

"Analysis of malware samples indicate a significant amount of the computer network exploitation activities emanated from infrastructure located within China," the alert adds. "The tools used in the attack were referenced in open source reports on Deep Panda. This group has previously used Adobe Flash zero-day exploits in order to gain initial access to victim networks."

Deep Panda is the code name assigned by adversary-tracking firm CrowdStrike to a group of hackers - operating from China - which it refers to as "one of the most advanced Chinese nation-state cyber intrusion groups." The group is also known as KungFu Kittens, SportsFans, PinkPanther and "Shell_Crew," according to information security firm RSA.

While the timing of the FBI's reference to the group exploiting flaws in Flash may be coincidental, Adobe has patched no less than three zero-day vulnerabilities in Flash since the beginning of January, all of which were discovered being used in in-the-wild attacks. The most recent related update was released by Adobe on Feb. 4.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.