Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Premera, Anthem breaches probably espionage, expert says

Tim Greene | March 20, 2015
Same group of attackers, likely Chinese, could be lurking in networks right now.

Attackers who compromised personal data of about 11 million customers of healthcare provider Premera were likely after intelligence about groups or individuals, not cashing in on the information, even though it has enormous market value, experts say.

Indications are that the attack and a similar one at Anthem disclosed earlier this year were perpetrated by the same group that likely has ties to the government of China, which isn't looking for a monetary payday, says Ben Johnson, chief security strategist for Bit9+CarbonBlack.

Neither victim corporation has said whether the data was stolen or merely exposed, but it but it seems the attackers were after information about individuals or groups of individuals, says Rich Barger, chief intelligence officer for Threat Connect, which has pieced together third-party data about the breaches. Both Anthem and Premera are Blue Cross/Blue Shield firms that serve many U.S. government employees, including U.S. military.

Johnson says there are enough indicators to conclude it's the same actor. "It's relatively safe to say it's the same group," he says. Tool signatures, domain names, the timeframe of the attacks and the similarity of the targets all point to one actor, likely Chinese and likely government affiliated.

Others disagree and point to the money motive. "Medical records are rich in information that can be used for profitable health care fraud as well as all the traditional scams that stolen data has powered," says Jonathan Sander, strategy and research officer for STEALTHbits Technologies.

The attackers may have been looking for information on a small group or even an individual, but took more just because they could or to mask who their actual target was, says Johnson. "If I were in the attackers' shoes... I would probably dump the whole database so you don't know who I'm looking for or looking at," he says.

Since the same tools, infrastructure and timeframe link these two attacks to one against defense contractor VAE and the U.S. Office of Personnel Management, it is likely the attackers were looking at U.S. government employees or those affiliated with the U.S. military. "To say it's exactly the same warm body behind the keyboard is very difficult," says Barger, but it's very likely the same organization is directing all the activities.

That the Anthem and Premera breaches were discovered on the same date -- Jan. 29 - "is an unlikely coincidence," says Johnson. The healthcare community and the FBI and others could have been involved in a larger investigation that came together that day. "I believe one was discovered and others were told to go check," he says.

His advice to health insurers is to look for similar compromises. He says he was shocked when Home Depot was hit last year by cyber thieves stealing credit card data so soon after a major theft from Target. "If I were a retailer I would have looked at every byte on my network," he says. "Health insurers should be looking now."


1  2  Next Page 

Sign up for CIO Asia eNewsletters.