Chinese State-Sponsored Hackers Suspected in Anthem Attack
by Michael A Riley and Jordan Robertson
11:42 AM PST
February 5, 2015
(Bloomberg) -- Investigators of Anthem Inc.’s data breach are pursuing evidence that points to Chinese state-sponsored hackers who are stealing personal information from health-care companies for purposes other than pure profit, according to three people familiar with the probe.
The breach, which exposed Social Security numbers and other sensitive details of 80 million customers, is one of the biggest thefts of medical-related customer data in U.S. history.
The attack appears to follow a pattern of thefts of medical data by foreigners seeking a pathway into the personal lives and computers of a select group -- defense contractors, government workers and others, according to a U.S. government official familiar with a more than year-long investigation into the evidence of a broader campaign.
The Anthem theft follows breaches of companies including Target Corp., Home Depot Inc. and JPMorgan Chase & Co. that have touched the private data of hundreds of millions of Americans and increased pressure on the U.S. government to respond more forcefully. Though President Barack Obama promised action against North Korea after the destruction of property at Sony Pictures Entertainment, corporations and the government have struggled to come up with appropriate responses to attacks that fall into a gray area between espionage and crime.
Technical details of the attack include “fingerprints” of a nation-state, according to two people familiar with the investigation, who said China is the early suspect.
The Federal Bureau of Investigation is leading the investigation, according to Anthem, which has hired FireEye Inc., a Milpitas, California-based security company, to assist.
China has said in the past that it doesn’t conduct espionage through hacking. The Chinese embassy in Washington didn’t immediately respond to a request for comment.
Hackers could use stolen information -- which Anthem said in its case included birthdates and e-mail addresses -- to conduct “phishing” attacks on customers who unwittingly provide access to their companies’ networks. Government officials have been investigating whether foreign interests are using personal, financial or medical information as leverage to gain intelligence from people who want their information to stay private, according to the U.S. official.
Michael Daniel, President Obama’s chief adviser on cybersecurity, is an Anthem customer who would be resetting his password, he said in a Bloomberg Web seminar early Thursday.
Among those insured by Anthem have been employees of Northrop Grumman Corporation, according to the insurer’s website, while the company has processed claims for workers at The Boeing Company in Missouri. Boeing has about 15,000 workers in Missouri, where the company’s defense unit is based. Those and other defense contractors could be of interest to foreign intelligence organizations.
Anthem spokeswoman Kristin Binns declined to comment.
John Dern, a spokesman for Boeing, and Mark Root, a spokesman for Northrop Grumman, didn’t immediately comment. Jenny Shearer, a spokeswoman for the FBI, declined to comment.
In the past year, Chinese-sponsored hackers have taken prescription drug and health records and other information that could be used to create profiles of possible spy targets, according to Adam Meyers, vice president of intelligence at Crowdstrike, an Irvine, Califorinia-based cybersecurity firm. He declined to name any of the companies affected.
“This goes well beyond trying to access health-care records,” Meyers said. “If you have a rich database of proclivities, health concerns and other personal information, it looks, from a Chinese intelligence perspective, as a way to augment human collection.”
That doesn’t mean that personal information wouldn’t make its way to criminals, he cautioned, pointing to the possibility of moonlighting by hackers who work by day for China.
A different major U.S. health insurer was breached recently by Chinese hackers, according to a person involved in that investigation, who asked not to be identified because the matter is confidential. In that case, investigators concluded that the goal of the hack was to obtain information on the employees of a defense contractor that makes advanced avionics and other weaponry, said the person, who declined to identify the insurer.
The hackers first hijacked a translation website that the insurer’s customer representatives used when dealing with foreign clients, using it to implant malware on the company’s computers, the person said.
“A lot of these healthcare companies have a lot of very trusted relationships at the network level and the corporate level to some very hard targets on the federal side and the commercial side,” said Orion Hindawi, co-founder and chief technology officer for Tanium Inc., a Berkeley, California-based security firm that is used by banks, healthcare and other companies.
“The healthcare environment is in an unfortunate position: It didn’t expect to be a high, heavy target five years ago, so they didn’t prepare,” Hindawi said. “They didn’t expect to have advanced threats from nation-state actors targeting them.”
At Anthem, officials detected the theft of the trove of customer information as it was being sent from its computers on Jan. 29, according to one of the people.
Meyers said the breach fits the pattern of a hacking unit that Crowdstrike calls Deep Panda, which over the last several months has targeted both defense contractors and the health care industry. China appears to be putting together huge databases of individuals who might be intelligence targets, he said. Another example was the theft last year from a government agency of data on tens of thousands of employees who had applied for top-secret clearances, he said.
The Anthem investigation is young, several people involved cautioned, saying the final determination of the hackers’ identity could ultimately change. The estimated number of customers whose data was stolen could also turn out to be lower, one of the people said.
U.S. intelligence officials have been increasingly concerned that repeated attacks on medical and pharmaceutical firms are at least in part efforts to obtain personal information for espionage purposes.
Two officials, who spoke on condition of anonymity to discuss classified efforts to pursue the attackers, said a number of the attacks came from the People’s Liberation Army’s Unit 61398. Five members of that Shanghai-based hacking unit were indicted by federal prosecutors last year.
A different and more sophisticated group attacked Anthem, based on initial indications, two people familiar with the investigation said.
Like many other Chinese hacking campaigns, the attacks appear to serve multiple purposes -- one commercial and the other related to national security -- said one of the U.S. officials. The attacks, this official and a former intelligence officer said, can test a firm’s ability to protect intellectual property and financial information, while simultaneously stealing prescription records, medical treatment histories and other personal information that could be used to blackmail individuals to reveal national security and trade secrets.
The attacks apply new technology to some of the oldest espionage trade craft in the world, the former official added.
To contact the reporters on this story: Michael Riley in Washington at firstname.lastname@example.org; Jordan Robertson in Washington at email@example.com
To contact the editors responsible for this story: Sara Forden at firstname.lastname@example.org; Jeffrey D Grocott at email@example.com; Pui-Wing Tam at firstname.lastname@example.org Jeffrey D Grocott