The US thinks it knows who’s behind the vast breach that siphoned off 78.8 million customer and employee records from US health insurer Anthem between 2014 and 2015.
On Thursday, the Justice Department unsealed an indictment against two people who prosecutors say are part of a sophisticated hacking group, based in China, that was behind not just the Anthem attack, but also attacks against three other US businesses.
The DOJ didn’t name the other businesses but did say they were data-rich. One was a technology business, one was in basic materials, and the third was in communications: all businesses that have to store and use large amounts of data – some of it confidential business information – on their networks and in their data warehouses.
The suspects are 32-year-old Fujie Wang – following the Chinese convention of putting a surname first, that would be Wang Fujie; he also used the Western nickname of “Dennis” – and a John Doe. Investigators haven’t yet figured out Doe’s real name, but the indictment said he goes by various online nicknames, as well as “Deniel Jack,” “Kim Young” and “Zhou Zhihong.”
The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.
The four-count indictment alleges that beginning in February 2014 and up until around January 2015, Wang, Doe and other members of the gang hacked into the targeted businesses using “sophisticated techniques” including spearphishing and malware.
They allegedly rigged tailored spearphishing emails with links to malware and sent the messages to employees at the targeted companies. When employees clicked on the links, their systems would get infected by malware that, among other things, planted a backdoor that gave the hackers remote access via their command and control server.
Once in, the suspects and their accomplices moved laterally across the infected network in order to escalate their network privileges and to thereby boost their ability to get at information and to tweak the network environment.
Tiptoe through the tulips
They were in no rush, the indictment says. Sometimes, they’d allegedly wait months to take the next step, all the time quietly maintaining their access to the infected network.
Once the time was right, the hackers would allegedly sniff around for valuable personally identifiable information (PII) and confidential business information. In the case of Anthem, that information included names, health identification numbers, dates of birth, Social Security numbers, addresses, telephone numbers, email addresses, employment information and income data, according to the indictment. In other words, a veritable toolkit for identity theft.
Then, the suspects and other hackers allegedly exfiltrated the data using encrypted archives, shuffling it through multiple computers as it wended its way on to its final destination: China. The indictment says they used Citrix ShareFile data storage for data storage and transfer. Then, in an attempt to cover their tracks, they allegedly deleted the encrypted archives.
Wang is accused of having set up the servers, hosted in California and Arizona, that were used for the Anthem attack.
Biggest data breach settlement ever, most health records stolen
Mop-up was costly for Anthem: in 2017, the company agreed to pay $115 million to settle a class action lawsuit over the breach. It was the largest data breach settlement in history up until that date.
That’s only one of a few superlatives that adhered to the Anthem breach. It was the largest health insurance company in the US at the time, and it lost the most medical records, dwarfing that year’s next-biggest medical data breaches, with 11 million breached at Premera and 10 million from Excellus.
In the DOJ’s press release about the indictments, Assistant Attorney General Brian Benczkowski was quoted as saying that the hacking group’s brazenness, and the damage it caused, were unprecedented:
The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history. These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their PII. The Department of Justice and our law enforcement partners are committed to protecting PII, and will aggressively prosecute perpetrators of hacking schemes like this, wherever they occur.
That doesn’t mean the US will have any luck getting Wang or Doe extradited. China would have to go along with it, and the likelihood of that is remote.
We’re still falling for spearphishing
The same year that the Anthem breach was discovered – 2015 – a survey of Black Hat attendees found that spearphishing was the top thing keeping security experts awake at night.
The majority of those polled (57%) reported that sophisticated, targeted attacks were their greatest concern. Yet only 26% reported that targeted attacks were among the top three spending priorities at their organizations, while only 20% said that targeted attacks were among the top three tasks where they were spending the most time.
Has anything changed in the years since? Hard to say without replicating that survey, but a quick look at just the incidents we’ve covered since then shows that spearphishing has been involved in many big ones, including (to name just a few):
- the hack of the Democratic National Committee, which resulted in senior party members’ emails distributed online,
- Russian election meddling that spanned all US states, and
- Amnesty International getting spearphished with powerful, malicious government spyware.
We’ve also seen companies drained of hundreds of millions of dollars through whaling: the most targeted spearphishing attack out there. Those attacks are targeted at the biggest fish, with carefully crafted emails sent to senior executives, managers, financial controllers or others who might hold the purse strings at large, lucrative organizations.
So yes, spearphishing is alive and well. It only takes one click to unleash a world of hurt, after all: it was only one employee, who clicked on one malicious link, in one malicious email, that let the hackers in to Anthem.
How to stay off the hook
You can never have too many tips when it comes to keeping the fingers off those phishy links.
In the past, we’ve served up tips on how to check that you’re not giving away information that can be used against you in a spearphishing attack.
We’ve also provided advice on how to protect your boss from getting whaled.
Stay cyber aware!