Premera, Anthem breaches probably espionage, expert says

Attackers who compromised personal data of about 11 million customers of healthcare provider Premera were likely after intelligence about groups or individuals, not cashing in on the information, even though it has enormous market value, experts say.

Indications are that the attack and a similar one at Anthem disclosed earlier this year were perpetrated by the same group that likely has ties to the government of China, which isn't looking for a monetary payday, says Ben Johnson, chief security strategist for Bit9+CarbonBlack.

Neither victim corporation has said whether the data was stolen or merely exposed, but it but it seems the attackers were after information about individuals or groups of individuals, says Rich Barger, chief intelligence officer for Threat Connect, which has pieced together third-party data about the breaches. Both Anthem and Premera are Blue Cross/Blue Shield firms that serve many U.S. government employees, including U.S. military.

Johnson says there are enough indicators to conclude it's the same actor. "It's relatively safe to say it's the same group," he says. Tool signatures, domain names, the timeframe of the attacks and the similarity of the targets all point to one actor, likely Chinese and likely government affiliated.

Others disagree and point to the money motive. "Medical records are rich in information that can be used for profitable health care fraud as well as all the traditional scams that stolen data has powered," says Jonathan Sander, strategy and research officer for STEALTHbits Technologies.

The attackers may have been looking for information on a small group or even an individual, but took more just because they could or to mask who their actual target was, says Johnson. "If I were in the attackers' shoes... I would probably dump the whole database so you don't know who I'm looking for or looking at," he says.

Since the same tools, infrastructure and timeframe link these two attacks to one against defense contractor VAE and the U.S. Office of Personnel Management, it is likely the attackers were looking at U.S. government employees or those affiliated with the U.S. military. "To say it's exactly the same warm body behind the keyboard is very difficult," says Barger, but it's very likely the same organization is directing all the activities.

That the Anthem and Premera breaches were discovered on the same date -- Jan. 29 - "is an unlikely coincidence," says Johnson. The healthcare community and the FBI and others could have been involved in a larger investigation that came together that day. "I believe one was discovered and others were told to go check," he says.

His advice to health insurers is to look for similar compromises. He says he was shocked when Home Depot was hit last year by cyber thieves stealing credit card data so soon after a major theft from Target. "If I were a retailer I would have looked at every byte on my network," he says. "Health insurers should be looking now."

Insurers need to work with each other to build a more comprehensive picture of what they are dealing with and prioritize threats. "I wouldn't try to go figure it out alone," Barger says. Cooperation and sharing intelligence is a must. "We're all in the same boat and we should start acting like it."

Johnson rates the attackers' skills at 8 on a scale of 10. "You have to be pretty good to do this," he says.

Right now malware from these attackers is probably on systems that people think are not touched and that won't expose themselves by trying to communicate out for another year. "That's what I'm worried about," he says.

And health care enterprises aren't the only targets. Any business doing business with a target is also a target that could be used as a jumping off point to infiltrate the main objective's network, Johnson says.

"I don't believe this is the end," he says. "Other companies are finding out right now [that they are breached] or not, but they are. There was nothing extra vulnerable about Anthem or Premera."

Join the CSO newsletter!

Error: Please check your email address.

Tags Anthemcyber espionagesecurityBit9data breachblue shield

More about Blue Cross/Blue ShieldFBIHome Depot

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place