Chinese State-Sponsored Hackers Suspected in Anthem
Attack
by Michael A Riley and Jordan Robertson
11:42 AM PST
February 5, 2015
(Bloomberg) -- Investigators of Anthem Inc.’s data breach
are pursuing evidence that points to Chinese state-sponsored hackers who are
stealing personal information from health-care companies for purposes other
than pure profit, according to three people familiar with the probe.
The breach, which exposed Social Security numbers and
other sensitive details of 80 million customers, is one of the biggest thefts
of medical-related customer data in U.S. history.
The attack appears to follow a pattern of thefts of
medical data by foreigners seeking a pathway into the personal lives and
computers of a select group -- defense contractors, government workers and
others, according to a U.S. government official familiar with a more than
year-long investigation into the evidence of a broader campaign.
The Anthem theft follows breaches of companies including
Target Corp., Home Depot Inc. and JPMorgan Chase & Co. that have touched
the private data of hundreds of millions of Americans and increased pressure on
the U.S. government to respond more forcefully. Though President Barack Obama
promised action against North Korea after the destruction of property at Sony
Pictures Entertainment, corporations and the government have struggled to come
up with appropriate responses to attacks that fall into a gray area between
espionage and crime.
‘Phishing’ Attacks
Technical details of the attack include “fingerprints” of
a nation-state, according to two people familiar with the investigation, who
said China is the early suspect.
The Federal Bureau of Investigation is leading the
investigation, according to Anthem, which has hired FireEye Inc., a Milpitas,
California-based security company, to assist.
China has said in the past that it doesn’t conduct
espionage through hacking. The Chinese embassy in Washington didn’t immediately
respond to a request for comment.
Hackers could use stolen information -- which Anthem said
in its case included birthdates and e-mail addresses -- to conduct “phishing”
attacks on customers who unwittingly provide access to their companies’
networks. Government officials have been investigating whether foreign
interests are using personal, financial or medical information as leverage to
gain intelligence from people who want their information to stay private,
according to the U.S. official.
Adviser Hacked
Michael Daniel, President Obama’s chief adviser on
cybersecurity, is an Anthem customer who would be resetting his password, he
said in a Bloomberg Web seminar early Thursday.
Among those insured by Anthem have been employees of
Northrop Grumman Corporation, according to the insurer’s website, while the
company has processed claims for workers at The Boeing Company in Missouri.
Boeing has about 15,000 workers in Missouri, where the company’s defense unit
is based. Those and other defense contractors could be of interest to foreign
intelligence organizations.
Anthem spokeswoman Kristin Binns declined to comment.
John Dern, a spokesman for Boeing, and Mark Root, a
spokesman for Northrop Grumman, didn’t immediately comment. Jenny Shearer, a
spokeswoman for the FBI, declined to comment.
Building Profiles
In the past year, Chinese-sponsored hackers have taken
prescription drug and health records and other information that could be used
to create profiles of possible spy targets, according to Adam Meyers, vice
president of intelligence at Crowdstrike, an Irvine, Califorinia-based
cybersecurity firm. He declined to name any of the companies affected.
“This goes well beyond trying to access health-care
records,” Meyers said. “If you have a rich database of proclivities, health
concerns and other personal information, it looks, from a Chinese intelligence
perspective, as a way to augment human collection.”
That doesn’t mean that personal information wouldn’t make
its way to criminals, he cautioned, pointing to the possibility of moonlighting
by hackers who work by day for China.
A different major U.S. health insurer was breached
recently by Chinese hackers, according to a person involved in that
investigation, who asked not to be identified because the matter is
confidential. In that case, investigators concluded that the goal of the hack
was to obtain information on the employees of a defense contractor that makes
advanced avionics and other weaponry, said the person, who declined to identify
the insurer.
The hackers first hijacked a translation website that the
insurer’s customer representatives used when dealing with foreign clients,
using it to implant malware on the company’s computers, the person said.
Hard Targets
“A lot of these healthcare companies have a lot of very
trusted relationships at the network level and the corporate level to some very
hard targets on the federal side and the commercial side,” said Orion Hindawi,
co-founder and chief technology officer for Tanium Inc., a Berkeley,
California-based security firm that is used by banks, healthcare and other companies.
“The healthcare environment is in an unfortunate
position: It didn’t expect to be a high, heavy target five years ago, so they
didn’t prepare,” Hindawi said. “They didn’t expect to have advanced threats
from nation-state actors targeting them.”
Deep Panda
At Anthem, officials detected the theft of the trove of
customer information as it was being sent from its computers on Jan. 29,
according to one of the people.
Meyers said the breach fits the pattern of a hacking unit
that Crowdstrike calls Deep Panda, which over the last several months has
targeted both defense contractors and the health care industry. China appears
to be putting together huge databases of individuals who might be intelligence
targets, he said. Another example was the theft last year from a government
agency of data on tens of thousands of employees who had applied for top-secret
clearances, he said.
The Anthem investigation is young, several people
involved cautioned, saying the final determination of the hackers’ identity
could ultimately change. The estimated number of customers whose data was
stolen could also turn out to be lower, one of the people said.
U.S. intelligence officials have been increasingly
concerned that repeated attacks on medical and pharmaceutical firms are at
least in part efforts to obtain personal information for espionage purposes.
Two officials, who spoke on condition of anonymity to
discuss classified efforts to pursue the attackers, said a number of the
attacks came from the People’s Liberation Army’s Unit 61398. Five members of
that Shanghai-based hacking unit were indicted by federal prosecutors last
year.
Dual-Purpose Hack
A different and more sophisticated group attacked Anthem,
based on initial indications, two people familiar with the investigation said.
Like many other Chinese hacking campaigns, the attacks
appear to serve multiple purposes -- one commercial and the other related to
national security -- said one of the U.S. officials. The attacks, this official
and a former intelligence officer said, can test a firm’s ability to protect
intellectual property and financial information, while simultaneously stealing
prescription records, medical treatment histories and other personal
information that could be used to blackmail individuals to reveal national
security and trade secrets.
The attacks apply new technology to some of the oldest
espionage trade craft in the world, the former official added.
To contact the reporters on this story: Michael Riley in
Washington at michaelriley@bloomberg.net; Jordan Robertson in Washington at
jrobertson40@bloomberg.net
To contact the editors responsible for this story: Sara
Forden at sforden@bloomberg.net; Jeffrey D Grocott at jgrocott2@bloomberg.net;
Pui-Wing Tam at ptam13@bloomberg.net Jeffrey D Grocott
Comments
Post a Comment