Anthem Breach Evidence Points to China, Security Researchers Say

Security researchers have traced the theft of customer data from health insurer Anthem's data systems to a professor at a Chinese university with links to a defense contractor.

Anthem Breach Source 2

A new open-source intelligence analysis of the breach of health insurer Anthem has reinforced theories that the data theft leads back to a Chinese espionage program, security firm ThreatConnect stated on Feb. 27.

In the report, which is based on public sources or "open-source" intelligence, security researchers at ThreatConnect and other companies found technical evidence that linked the malware reportedly used in the Anthem attack to a Chinese espionage group and a professor at Southeast University, which works with a government contractor, Beijing Topsec Technology Co.

A variety of evidence—including email addresses, domains registered for the command-and-control servers and the certificate used to sign the malware—led back to the trio of actors, Rich Barger, chief intelligence officer for ThreatConnect, told eWEEK.

"All of this evidence, from the technical aspect, pointed back to China in numerous ways despite the actors' best efforts to shroud their origins," Barger said. "They made an effort to hide, but they messed up."

The analysis is the latest attempt to gain insight into the massive breach of Anthem, the largest health care insurer of the 37 companies that make up the Blue Cross Blue Shield Association. In early February, the company, formerly known as Wellpoint, announced that attackers may have accessed personally identifiable information on more than 80 million patients, including names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses and employment information. The information of other Blue Cross Blue Shield members who were treated in the regions served by Anthem may have also been compromised.

Cyber-criminals typically attempt to sell such data, but so far, there is little evidence that the information has been sold, according to ThreatConnect's analysis.

The analysis linked espionage malware known as Derusbi, associated with Chinese espionage groups, and signed with the valid signature of DETOPTOOLZ, a Korean software firm.

The DTOPTOOLZ signature has been seen in conjunction with the Derusbi, Sakula, and HttpBrowser/HttpDump malware families. All of them are linked to Chinese advanced persistent threat (APT) groups, according to ThreatConnect's analysis. One case of the malware added to ThreatConnect's intelligence platform linked Sakula to command-and-control servers using the domains, where the "ll" was replaced with the number 11.

Other similar attacks linked the domain owner to an email address connected to an information security competition run by the Southeast University-Topsec Information Security and Mobile Internet Technology Joint Research Center. A U.S. Department of State memo, leaked by WikiLeaks in 2009, noted that Topsec had received significant investment from the People's Liberation Army.

In all, the evidence forms a clear picture of a Chinese attack designed to collect information on U.S. citizens, Barger said. The Blue Cross and Blue Shield Association serves one-in-three Americans and 5.3 million federal employees, retirees and their dependents, which could indicate a motive for the attack.

"Some people say that attribution is hard in cyber," he said. "But denial and deception [the act of deceiving defenders] in cyber is even harder."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...