U.S. health insurance giant Anthem confirmed last week that data on as many as 80 million customers at was stolen by hackers. The stolen information includes names, birth dates, social security numbers, street addresses, email addresses, and employment information, the company said. It is very likely that this attack has been going on for months, and there is strong evidence suggesting links to ongoing Chinese hacking campaigns.
The sophisticated attackers gained unauthorized access to one of Anthem’s IT systems (presumably using a stolen employee password) and have obtained personal information relating to consumers and Anthem employees who are currently covered, or who have received coverage in the past, by the company.
Free Cyber Security Training! Join the revolution today!
This seems like a disturbing change in the familiar ways of Chinese cyber espionage. We’ve come to expect that Chinese spies will infiltrate the defense industry, auto makers, and government networks for the purposes of data exfiltration or cyber espionage.
But a health insurer seems like an unusual target for these state of the art hackers. Why would a military unit or state-backed hacker bother with such an unexciting target? Surely they are not after the money. (Although it is known that medical and personal records yield a far greater profit on the underground markets than credit card data, making them very lucrative target for financial hackers) There are several possible reasons for this.
Some say that this was simply an exercise of sorts to train novice Chinese cyber troops, and as such a rather “soft” target was selected. Another, more intriguing explanation is that they were looking for something or someone in particular – among those millions of customers must lay some high ranking officials (or their family members), and this information could be used for elaborate social engineering attacks which could succeed in the entrapment of a senior executive, providing access to very sensitive information. Then again, it could be that China simply hacks anything and everything American, and since they’ve pretty much breached and drained a number of existing major industries (defense, aerospace, automotive, academia, etc.), they are now moving to secondary targets, which provides them access not only to secret government information and lucrative technology but also to the homes and bank accounts of average Joes.
Whatever the rationale for this breach, it is frightening to think that corporates, who until now only dealt with cybercrime, must now somehow mitigate this new threat actor with seemingly endless resources and motivation.
But when the actual breach is analyzed, it shows a rather simple (yet proven) attack method, and to a certain degree, the end result might be blamed on the victim’s lack of preparedness and not on the superb skill set and tools of the attackers. From what is known, it appears that this breach, like so many before it, occurred using the stolen credentials of an employee – most likely with privilege access rights, like an administrator (some information indicates that credentials of 5 employees were utilized). Once they gained access to the network, the attackers took their time (some say the attacked started at December 2014, others say it started back in April) to locate the customer records which weren’t encrypted. They then managed to siphon at least some of these records outside the organization until the breach was detected. Utilizing privilege access rights, the attackers bypassed most security controls and succeeded in their mission.
While the full extent of the damage is not yet clear, (Anthem’s stock took a hit the day after the breach but recovered shortly thereafter, and the costs of recovery are not yet known.) it is certain that the company’s reputation and credibility will suffer. It is also likely that the company’s management will pay the price for this breach, as was the case with Target and Sony breaches.
To read about some of the lessons we glean from this breach, please view the original article on Cytegic’s blog here.
About Cytegic
Cy-te-gic /pronounced: sʌɪ-ˈtē-jik/ adjective: A plan of action or strategy designed to achieve a long-term and overall successful Cyber Security Posture Optimization – “That firm made a wise Cytegic decision”.
Cytegic develops a full suite of cyber management and decision-support products that enable to monitor, measure and manage organizational cyber-security resources.
Cytegic helps organization to identify threat trends, assess organizational readiness, and optimize resource allocation to mitigate risk for business assets.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.