Premera, Anthem data breaches linked by similar hacking tactics

Security analysts last year saw a fake domain spoofing Premera's name

Premera Blue Cross may have been attacked using the same methods employed against its fellow health insurer Anthem, suggesting that a single group may be behind both breaches.

Customer data, including bank account and clinical data going back to 2002, may have been compromised in the attack, affecting 11 million people, Premera said Tuesday.

It is the largest breach to affect the healthcare industry since Anthem disclosed last month that upwards of 78.4 million records were at risk after hackers accessed one of its databases.

Several computer security companies have published data that points to a China-based group known as Deep Panda as a possible source for Anthem's breach.

But what is known is that the Anthem attackers created a bogus domain name, "we11point.com," (based on WellPoint, the former name of Anthem) that may have been used in phishing-related attacks. Companies try to detect such confusing domain names -- a practice known as typosquatting -- but are not always successful.

One of Deep Panda's attack methods is to create fake websites that imitate corporate services for companies. In Anthem's case, the attackers set up several subdomains based on "we11point.com," which were designed to mimic real services such as human resources, a VPN and a Citrix server.

By targeting Anthem employees with phishing emails and luring them to the fake sites, it may have been possible for the attackers to collect the logins and passwords and eventually access the insurer's real systems.

ThreatConnect, an Arlington, Virginia-based security company, found that Premera appears to have been targeted by the same style of attack.

On Feb. 27, ThreatConnect wrote a blog post describing its research into the Anthem attacks. In the course of that work, ThreatConnect found a suspicious domain name -- "prennera.com."

On Dec. 11, 2013, that domain name resolved to the same IP address as a malware sample seen by ThreatConnect. Even more interesting is that the malware sample was digitally signed with a certificate from DTOPTOOLZ Co., which appears to be a Korean company that at one time made advertising software.

A digital certificate is used to verify that a software program comes from the developer it purports to come from. But the certificates are occasionally stolen. They're especially useful for hackers, as one can make a malware program appear at least on first sight as legitimate.

In September 2014, the computer security firm CrowdStrike found a remote access tool called Derusbi that was often used by Deep Panda. The sample was also signed with a DTOPTOOLZ Co. digital certificate.

In another example, ThreatConnect found a spoofed domain last year that appeared to mimic defense contractor VAE, based in Reston, Virginia. Two malware programs -- Derusbi and another type of one called Sakula -- were linked to the spoofed VAE domain and signed once again with the DTOPTOOLZ Co. certificate.

It could be that the Korean company did not do enough to prevent its digital certificates from being stolen, and that it was pilfered by multiple hacking groups who have then used it in multiple, unrelated attacks. If not, it would be a strong indication that a single group is involved.

Anthem and law enforcement have yet to say who they believe may be responsible, and the Premera investigation is in its early stages. If an attacker is named, it could put further pressure on the U.S. government, which has shown less and less tolerance for what are classified as state-sponsored attacks.

In December, the U.S. government blamed North Korea for the devastating data breach against Sony Pictures Entertainment, one of the first times the government has so quickly and so directly attributed a single attack. The documents released included salary details, internal email and HR documents for employees. Other malicious code destroyed the hard drives of Sony computers.

In May 2014, U.S. federal prosecutors charged five members of the Chinese Army with stealing trade secrets from U.S. organizations over eight years in the first legal action of its kind. China, as is customary, denied the accusations.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags Anthemsecuritydata breachPremera Blue CrossExploits / vulnerabilities

More about PandaSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place