Premera Blue Cross may have been attacked using the same methods employed against its fellow health insurer Anthem, suggesting that a single group may be behind both breaches.
Customer data, including bank account and clinical data going back to 2002, may have been compromised in the attack, affecting 11 million people, Premera said Tuesday.
It is the largest breach to affect the healthcare industry since Anthem disclosed last month that upwards of 78.4 million records were at risk after hackers accessed one of its databases.
Several computer security companies have published data that points to a China-based group known as Deep Panda as a possible source for Anthem's breach.
But what is known is that the Anthem attackers created a bogus domain name, "we11point.com," (based on WellPoint, the former name of Anthem) that may have been used in phishing-related attacks. Companies try to detect such confusing domain names -- a practice known as typosquatting -- but are not always successful.
One of Deep Panda's attack methods is to create fake websites that imitate corporate services for companies. In Anthem's case, the attackers set up several subdomains based on "we11point.com," which were designed to mimic real services such as human resources, a VPN and a Citrix server.
By targeting Anthem employees with phishing emails and luring them to the fake sites, it may have been possible for the attackers to collect the logins and passwords and eventually access the insurer's real systems.
ThreatConnect, an Arlington, Virginia-based security company, found that Premera appears to have been targeted by the same style of attack.
On Feb. 27, ThreatConnect wrote a blog post describing its research into the Anthem attacks. In the course of that work, ThreatConnect found a suspicious domain name -- "prennera.com."
On Dec. 11, 2013, that domain name resolved to the same IP address as a malware sample seen by ThreatConnect. Even more interesting is that the malware sample was digitally signed with a certificate from DTOPTOOLZ Co., which appears to be a Korean company that at one time made advertising software.
A digital certificate is used to verify that a software program comes from the developer it purports to come from. But the certificates are occasionally stolen. They're especially useful for hackers, as one can make a malware program appear at least on first sight as legitimate.
In September 2014, the computer security firm CrowdStrike found a remote access tool called Derusbi that was often used by Deep Panda. The sample was also signed with a DTOPTOOLZ Co. digital certificate.
In another example, ThreatConnect found a spoofed domain last year that appeared to mimic defense contractor VAE, based in Reston, Virginia. Two malware programs -- Derusbi and another type of one called Sakula -- were linked to the spoofed VAE domain and signed once again with the DTOPTOOLZ Co. certificate.
Sign up for CIO Asia eNewsletters.