Fact and Fiction About Anthem’s Breach
By John Gomez
Anthem has quickly created a surge of inquires across the wire, leaving many CIOs wondering how they can keep ahead of the cyber-security challenges that continue to evolve. I suspect no one is surprised to learn about the existence and extent of the attack on Anthem. More than likely, many in our industry continue to wait for the “big one.” That in and of itself is a rather scary state of affairs. Most of us are not surprised and we don’t collectively believe this is as bad as it will get.
The Anthem breach is an ongoing criminal investigation led by the FBI with the assistance of FireEye and Mandiant, so nobody knows all of the details. As was the case with the Sony Pictures breach, sources will make statements without the evidence that only the FBI possesses. Here’s what we know today.
Anthem reported the breach publicly within eight days of discovery. Approximately 80 million customer and employee records may have been stolen, but the common thinking is that the actual number may be higher and that there is a high probability that other critical data was also compromised by the attackers.
The customer and employee data stolen was complete — name, home address, email address, date of birth, medical history, employer information, family relationships, and much more. That valuable information allows attacks to continue against the individuals whose information was compromised.
The concern with Anthem is that this is a move by a foreign state to amass profiles on individuals and use that information in future operations. That’s one theory, but equally likely is that the breach was profit driven since complete records are worth well over $100 on black markets.
Attribution — figuring out who did it — is one of the most difficult things to do in the world of cyber-forensics. Companies specialize in attribution, but their success rate is low, often less than 50 percent. The amount of computing power, resources, and advanced algorithms required to perform attribution at a higher level of success is mind boggling. While a theory exists as to who carried out the Anthem attack, it could be proved wrong as the evidence unfolds.
Current intelligence points to one of two groups with ties to China — Deep Panda and Axiom. Both groups have previously carried out verified attacks that had sophisticated intelligence-gathering objectives.
Deep Panda has developed a five-year strategic attack plan that includes objectives specifically focused on healthcare targets. Axiom has a specific and focused attack plan that includes government agencies, electronics and integrated circuit manufacturers, Internet-based services companies, software vendors, journalism and media organizations, NGOs, healthcare providers, biomedical device manufacturers, pharmaceutical companies, and academic institutions.
It appears that Anthem may have been compromised by parallel attacks. The first focused on employees with phishing attacks that allowed the attackers to deploy malware via their corporate email accounts. The second attack appears to have been via DNS compromises used to deposit malware.
Credible cyber-security operators rarely call an attack “sophisticated” or “advanced” unless they are trying to make headlines. Anthem’s attackers had a plan, were extremely patient, and were focused on their victim. Their attack was sophisticated and advanced, but due to tactics and practices, not because they used a new generation of attack technology. Anthem was mostly likely beaten by off-the-shelf technology and practices, the same techniques that attackers would use in penetrating any healthcare organization.
The preliminary investigation suggests that Anthem’s attackers used malware known as Poison Ivy or HiKit or some combination or derivative of those tools. Both malware applications are attributed to Chinese developers. Steps can be taken to determine whether an organization has been compromised by those tools, and if found, a cyber incident response team should be contacted immediately.
Anthem was tested for exploits by attackers over months or even years. Its employees fell for a phishing attack that compromised their machines. In parallel, perimeter systems were also compromised. Malware allowed the attackers to monitor network traffic, take over webcams, and capture confidential date over a long period. Some believe that Anthem was an attack pivot from which its clients or vendors could be compromised.
I suspect that we will learn that Anthem also had weak passwords (fewer than 15 characters), didn’t use dual-factor authentication, relied on third parties for DNS, and very possibly had its supply chain compromised.
Company executives can miss a few quarterly financial goals, run late on a few initiatives, and even run over budget a couple of times. But if they have a major breach, their career is over. Target’s CEO resigned after its breach and just last week the top film executive at Sony Pictures stepped down. I suspect we will see something similar at Anthem.
There is a saying in special operations: don’t be that guy. Don’t be the person who takes the easy road or embraces mediocrity. Get mad and assertive about cyber-security. Rethink vulnerabilities, test systems, learn what you don’t know, share information with the community, and become vocal. We have a choice — we can either wait to be attacked or we can decide that enough is enough.
John Gomez is CEO of Sensato of Asbury Park, NJ. Intelligence Analyst Laura Walker contributed to this article.
John will host a free, HIStalk-sponsored Q&A webinar on the Anthem breach on Friday, February 13 at 2:00 p.m. Eastern.