February 6, 2015

Bloomberg reports that U.S. federal investigators probing the theft of 80 million Social Security records and other sensitive data from insurance giant Anthem Inc. are pointing the finger at state-sponsored hackers from China. Although unconfirmed, that suspicion would explain a confidential alert the FBI circulated last week warning that Chinese hackers were targeting personally identifiable information from U.S. commercial and government networks.

According to this story from Bloomberg’s Michael Riley and Jordan Robertson, “the attack appears to follow a pattern of thefts of medical data by foreigners seeking a pathway into the personal lives and computers of a select group — defense contractors, government workers and others, according to a U.S. government official familiar with a more than year-long investigation into the evidence of a broader campaign.”

While the story is light on details, it adds a bit more context to an FBI “flash alert” that KrebsOnSecurity obtained independently last week. The alert said the FBI has received information regarding a group of cyber actors who have compromised and stolen sensitive business information and Personally Identifiable Information (PII) from US commercial and government networks through cyber espionage.”


The alert notes that analysis of malware samples used in the attack indicate a significant amount of the computer network exploitation activities emanated from infrastructure located within China. The FBI said the tools used in the attack were referenced in open source reports on Deep Panda, a claim that also shows up in the Bloomberg piece. That story references data about Deep Panda from cybersecurity firm CrowdStrike, which specializes in attributing nation state-level attacks.

According to the FBI, Deep Panda has previously used Adobe Flash zero-day exploits in order to gain initial access to victim networks. While it may be unrelated, it’s worth noting that in the past two weeks alone, Adobe has shipped no fewer than three unscheduled, emergency updates to address Flash Player vulnerabilities that were being exploited in active attacks at the time Adobe released patches.

The FBI’s flash advisory continues:

“Information obtained from victims indicates that PII was a priority target. The FBI notes that stolen PII has been used in other instances to target or otherwise facilitate various malicious activities such as financial fraud though the FBI is not aware of such activity by this group. Any activity related to this group detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.”


In its own writeup on Deep Panda from mid-2014, CrowdStrike notes that “for almost three years now, CrowdStrike has monitored DEEP PANDA targeting critical and strategic business verticals including: government, defense, financial, legal, and the telecommunications industries. At the think tanks, [we have] detected targeting of senior individuals involved in geopolitical policy issues, in particular in the China/Asia Pacific region. DEEP PANDA presents a very serious threat not just to think tanks, but also multinational financial institutions, law firms, defense contractors, and government agencies.”

Leaving aside the question of whether state-sponsored Chinese hackers were in fact behind the Anthem breach, there are still many unanswered questions about this incident, such as when did Anthem find out about it? How long did the breach last? How did the attackers break in? What can other businesses learn from this incident to protect themselves?

Steve Ragan, a journalist who writes the Salted Hash blog for CSO Online, references a document he received from a trusted source that was reportedly sent as a memo from Anthem to its clients. That memo notes that the unauthorized activity seems to date back to at least December 10, 2014. That activity apparently continued undetected until January 27, 2015, meaning the attackers had access to Anthem’s customer database for more than a month before they were discovered.

A memo sent from Anthem to its associates. Credit: Salted Hash.

A memo sent from Anthem to its associates. Credit: Salted Hash.

The memo explains:

“On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate’s logon information. He had not initiated the query and immediately stopped the query and alerted Anthem’s Information Security department. It was also discovered the logon information for additional database administrators had been compromised.”

The notice from Anthem to its clients concludes that “the attacker had proficient understanding of the data platforms and successfully utilized valid databaes administrator logon information.”

As for how the attackers broke in, perhaps the FBI’s Flash warning on Deep Panda (PDF) holds some clues.

Incidentally, infosec professionals take note: Anthem is hiring. On Feb. 4, the same day that Anthem disclosed a breach at its “database warehouse” may have affected as many as 80 million consumers, it also posted a help wanted ad for a “Cloud Encryption Security Professional.”

79 thoughts on “China To Blame in Anthem Hack?

  1. Steve

    How can an individual find out if his/her S.S. number was in this (or any) particular high-profile hack? Besides finding out AFTER the number was used to cause trouble. Is there any way to check?

    1. Bob Dernier

      It doesn’t matter. ALL of our SSNs and DOBs are for sale (along with address etc) already on a ton of different sites for pennies. Brian has written extensively on this subject yet people seem to care more about credit card #s than really important stuff like their PII. #whistlingpastthegraveyard

  2. marmalade

    Anthem has never cared about computer security. Around five years ago, it used a non-secure server to store the data for applicants. If that applicant became a customer, the data on the non-secure server was deleted, but if that applicant never became a customer, for whatever reason, the data sat there forever. And then that non-secure server was breached. The only thing that will resolve the situation is perp-walks of CEOs and CIOs who refuse to secure their systems. Insignificant fines and credit monitoring service subscriptions are clearly not sufficient.

    1. Nick

      “a non-secure server”
      What does that even mean?

      “Secure” isn’t a binary state.

      1. Stu

        To be fair, it sort of is a binary state. You either have secure – no ethernet / in a room with no physical entry / self contained power generation and cooling – or you have non-secure – everything that exists today.

        Just because “secure” is unreasonably inconvenient for any practical use, doesn’t mean that the value of ‘secure’ isn’t boolean.

      2. John

        As previously mentioned, not the first time for Anthem. The other lack-of-security was 2010 and resulted in a $1.7 million fine. Apparently not enough punishment to encourage Anthem to fulfill its contractual agreement with customers. I agree, big dogs should go to jail for errors that harm large numbers of customers. Otherwise it’s just another tiny digit in risk/profit analysis.

        1. patti

          I cannot decide if this is a failure of capitalism or just a ‘thermodynamic’ thing… (large, complex objects are prone to failure and difficult to manage)

        2. marmalade

          And all of that money went to attorneys and the credit monitoring service. No money was allocated for credit freeze fees or other defensive measures.

      3. marmalade

        A non-secure server only has “http” in the URL.

        1. marmalade

          I clicked on submit too soon.

          Also, the server was outside the corporate firewall and retained data in unencrypted files.

  3. Bob

    Russia’s been attacking American Financial systems for fun and profit through their underground mafia organizations as a method of dissuading American bankers from involving themselves in Russian Affairs. Remember, when cash gets stolen, that weakens the banks as they have to find a way to pay for it; that hits their bottom line, and is the reason you see the interest rates on CD and money market accounts at all time lows.

    Government is at the point it can’t print any more capital without pushing the lower 25% into starvation, and you do not want to do that in a country as armed at this.

    China has taken notice, and they are finding sideband attacks against Americans are effective in compromising systems.

    The FBI lost all it’s credibility after it claimed North Korea was behind the Sony Hack, when it was found out it was an employee related attack. Oops. Of Course, North Korea will play along on that one.

    What a fucking nightmare.

    1. patti

      Ah, yes, I see. This makes pretty good sense and there is historic precedence for it. The US did this in the pre-Internet era, using different means, to maintain petrodollar superiority.

  4. Tommie

    I got an email at work on 2/6 saying employees between 1/2009 and 12/2011, when we had Anthem, are affected. Anthem will send a written communication to affected people and offer identity repair and credit monitoring.

    Data accessed is income,names,Anthem id number,biith dates, addresses, phone numbers,social security numbers, email addresses. Basically everything they have on employees and their dependents.

    They warn fraudulent emails have been circulating , to us, using stolen info in attempts to install phishing software.

    1. marmalade

      A timeframe of 1/2009 and 12/2011 implies that this breach occurred around the same time as their previous one.

      1. Tommie

        No, it means that Anthem still retained my data after my employer was no longer a client. The hack was recent as a DBA reported.

  5. patti

    How do we differentiate between the “cyber mafia” style organizations in china and russia, and “state sponsored” work?

  6. IR

    the bad thing is the “deep panda” bucket is awesomely bad. It’s almost the im not sure where to put this so….deep panda all the things

  7. CooloutAC

    I get people constantly calling me up, claiming to be from some “summons division” or something else. They have my social and say there is fraudulent chargest filed against me and I should talk to a legal department before I get served a subpoena.

    Its all bs, they keep calling even when we threaten them. Even did the same thing to my father who lives with me.

    Whats really sad, is that there is nothing anybody can do about them, and how untouchable they must feel. Robbing old ladies easily I bet. The call traces back to Kansas, but they sound like they are from my area.

Comments are closed.