Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

Anthem Cyberattack Indictment Provides Defense Lessons

Security Experts Say Prosecution's Document Offers Critical Cybersecurity Insights
Anthem Cyberattack Indictment Provides Defense Lessons

The indictment of two Chinese men for a 2014 cyberattack on health insurer Anthem that compromised information on nearly 80 million individuals contains extensive details about the incident that security professionals can use to help with their breach prevention strategies.

See Also: Safeguarding against GenAI Cyberthreats with Zero Trust

"With regard to prevention, the DOJ anti-hacking unit, which is known as Computer Crimes and Intellectual Property Section, spent a lot of time thinking about the types of details to share in this indictment," says attorney Christopher Ott of the law firm Davis Wright Tremaine, who is a former Department of Justice litigator.

"The document is seeded with [attackers'] techniques and methods that cybersecurity professionals should read" and then use when crafting defenses, Ott says. "The indictment recites with great detail how the data exfiltration occurred via Citrix Sharefile. This detail was intentionally included to - metaphorically - burn the hackers' infrastructure to the ground," Ott contends.

Attack Details

Prosecutors allege that Fujie Wang, 32, of Shenzhen, China, and a colleague listed by several nicknames - including Deniel Jack, Kim Young and Zhou Zhihong - targeted Anthem as well as three other unnamed U.S. businesses that use and store huge amounts of data.

The alleged hackers are charged with conspiracy to commit fraud, conspiracy to commit wire fraud and two counts of intentional damage to a protected computer.

The indictment provides details into how Anthem and the other companies fell victim, alleging that the criminal activity started around February 2014. Employees of the four U.S. companies, including Anthem, were sent phishing emails with malicious hyperlinks leading to malware. If executed, a backdoor was installed. The attackers then sought to move laterally across the victims' networks, escalating privileges and making network changes, according to the indictment.

"Defendants sometimes patiently waited months before taking further action, quietly maintaining access to the victim's network," the indictment says.

Then, they searched for personally identifiable and confidential information. With Anthem, they discovered its enterprise data warehouse that contained the data on 78.8 million individuals.

The two defendants ran queries on the data and then placed it in encrypted archive files, the indictment alleges. The attackers created a free trial account with Citrix's ShareFile data storage and transferred the data to other servers in the U.S., prosecutors say.

From the U.S., the data was then transferred to China, DOJ alleges. Eventually, they deleted the archives and ShareFile application. Anthem discovered the activity on Jan. 31, 2015, and the attackers lost access, the indictment says.

Being Prepared

Privacy attorney Iliana Peters of the law firm Polsinelli says the most important lesson in the Anthem case is that healthcare entities must be prepared for nation-state cyberattacks - even though the indictment in the Anthem case doesn't specifically spell out the widely presumed connection to the Chinese government.

"Clearly, this type of attack is a known threat after attacks like WannaCry, as well as other nation state attacks like the one on Anthem," she says.

"Healthcare entities and their vendors ... must not only understand where their data lives, but also must understand and mitigate these threats to it. Such mitigation should include threat detection and response, such that they can protect against, detect and thwart these types of nation-state attackers."

Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C. offers a similar perspective. "The message never changes. Keep abreast of disclosures of changing attack modalities. Read industry bulletins and revise risk metrics accordingly. Make informed decisions whether - or not - to develop, implement review and revise both cybersecurity policies and processes to reflect changing circumstances," he says.

"The fact that massive amounts of data were taken, and none has surfaced, coupled with the fact that the attack and exfiltration went on for months, indicates it was well-planned, premeditated and that the data may have been or is being used for purposes we have not yet discerned."
—David Finn, CynergisTek

Former healthcare CIO David Finn, executive vice president of security consultancy CynergisTek, says some of the lessons coming from the Anthem attack aren't necessarily new, but rather critical reminders.

"It is training and awareness for employees around phishing. It is continuous monitoring of the network and activity on the network that doesn't match 'normal' patterns or is anomalous in any way," he says.

"Let's face it, 78.8 million records is a lot of data to move off the network - even a few at a time," he adds. "It is about managing privileges and using multifactor authentication for privileged accounts coming into or even on the network."

Additionally, Finn questions the practice by Anthem of keeping so much sensitive data about so many individuals in its data warehouse.

"The other thing that received some speculation at the time that we haven't seen talked about much is the fact that this was nearly 80 million customers and yet the active customer base of Anthem at the time was significantly smaller than that," he says. "So, maybe archiving records that are no longer active would've been a good idea, too."

Hindering the Hackers

The indictment will greatly impact the alleged attackers' ability to launch more attacks, Ott predicts. The alleged attacker "will have real difficulty leasing and deploying his hacking infrastructure worldwide with this hanging over him," Ott says.

"Also, although he [Wang] may never be extradited, the Chinese authorities will now spend a significant amount of energy monitoring his activities," he says. "If his crimes touched mainland China, he can expect swift law enforcement action by the Chinese authorities," Ott contends.

The most significant thing about the indictment, "is recognition by the federal government that these attacks were based in China and perpetrated by Chinese nationals and now confirmed by U.S. investigators," Finn says.

The indictment stops short of saying these individuals were working with or for China's government, Finn notes. "It is also important to note that following quickly on the heels of the Anthem breach, other intrusions against the U.S. government and private entities in the U.S. were noted using similar tools and citing the same groups," he says.

"The fact that massive amounts of data were taken, and none has surfaced, coupled with the fact that the attack and exfiltration went on for months, indicates it was well-planned, premeditated and that the data may have been or is being used for purposes we have not yet discerned," Finn says.

Rich Curtiss, principal of healthcare risk assurance services at the consultancy Coalfire, notes: "The Chinese government has a long-standing cyber espionage and cyberattack program targeting U.S. commercial and governmental interests."

He adds: "Little happens in the People's Republic of China without the government either knowing about it or being complicit. The message likely being sent by the Department of Justice is: 'We know you did it, and we know who did it.' The rationale is likely to provide evidence to the Chinese government that the U.S. government is equally capable in the cyber arena, especially as it relates to forensics analysis."

Advancing Cyberbattle

Because the Anthem hackers aren't likely to be extradited to the U.S., the legal action needs to be followed through with other action, Teppler, the attorney, argues.

The indictment "makes a statement that the United States government takes these hacking activities as serious crimes," he says. "It may, however, be viewed as toothless, given the inability to reach the defendants and bring them to trial. What could give this statement teeth is a visible, active political response," he says. "Of course, we may also be currently and actively engaged in an ongoing cyberbattle with China and other adversary countries."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.