Analysis Pushes Anthem Timeline Back, Links Breach to Chinese APT Group
The breach at Anthem may have begun in April, 2014 and may be the work of a Chinese hacking crew. The question for healthcare companies: how to respond.
The story behind the breach at Anthem got deeper and darker this week, with evidence that Anthem was the victim of a targeted attack by foreign adversaries.
Reporting on Krebsonsecurity.com, Brian Krebs notes that security researchers, working with open source information, have traced the beginning of that incident back to April, 2014 – more than eight months prior to the disclosure of the breach by Anthem. Characteristics of the attack link it to a known hacking crew dubbed “Deep Panda” or “Shell_Crew.”
Among other things: Krebs cites the use of the fraudulent domain we11point[dot]com to mimic the legitimate domain of Anthem’s predecessor firm, Wellpoint Inc. He also cites a report by the firm ThreatConnect that at least one piece of malware used by the group was intended to mimic the Citrix VPN (virtual private network) software used by Wellpoint and many other firms.
With that, the features of the Anthem attack start to come into view: phishing domains disguised to look like legitimate Wellpoint infrastructure and poisoned VPN software that provided the ability to harvest legitimate user credentials.
The target of the attack was, of course, patient data. Anthem has admitted that data on some 80 million customers may have been exposed in the incident. So far, the company has maintained no clinical or financial data was taken.
The impact is already being felt, however. Anthem is warning customers of phone and e-mail scams following the breach. And security experts warn that identity theft is one of the leading threats to Anthem patients in the coming months.
The question for Anthem and other healthcare providers, however, is how to respond.
How should healthcare organizations respond? That’s the topic of an online conversation that I’ll be having with experts from Duo Security on Wednesday, February 11th at 2:00 PM. We’ll be talking about the details of the Anthem breach and the lessons it holds for other organizations. What makes healthcare organizations are vulnerable to attacks? How do APT style hacks differ from other online threats? What methods of exploitation are used by hackers? And how can technologies like multi-factor authentication protect healthcare networks without disrupting the important work that clinicians and support staff do every day.
I hope you can join us! Sign up here.
Paul Roberts, editor in chief
The Security Ledger
Twitter: @paulfroberts | @securityledger