14 DAY TRIAL // The data breach at health insurer Anthem may be the largest health care has seen, as reportedly 80 million individuals may have their personal information exposed to unauthorized individuals.
A clear picture about the incident is yet to be formed as only bits of the puzzle are known by the investigators, or at least revealed to the public as such. The initial conclusion seems to point to China as the originating location of the attack, according to opinions promoted as belonging to individuals close to the investigation.
However, at this stage, it is still a mystery whether the hack is the work of state-sponsored individuals seeking to collect large caches of data on people of interest or of cybercriminals with purely financial gain in mind.
Entities in sensitive activity fields have health insurance from Anthem
Anthem is the second largest health insurance provider in the US and is expected to offer services to an impressive number of customers, including those working for entities in sensitive fields of activity, such as defense contractors and governmental organizations.
Northrop Grumman Corporation, a global aerospace and defense technology company, uses the health insurance services of Anthem for its employees. The list of Anthem customers also includes The Boeing Company, which has a defense unit.
With this information in mind, the scenario of a targeted attack from a foreign government makes perfect sense. Only these attacks are called so not just because they are aimed at a specific entity; they are also specific in terms of the data that is coveted by the threat actor.
Most of the targeted attacks observed had a clear mission as far as the information extracted was concerned. The attackers would be careful to reach systems of interest in the network and exfiltrate select files, of use for their mission.
In an official statement disclosing the incident, Joseph Swedish, president and CEO of Anthem, said that the client details exposed consisted of names, birthdays, medical IDs, social security numbers (SSNs), street addresses, email addresses, employment and income-related details.
He called the breach “a very sophisticated external cyber attack,” suggesting that a group of highly skilled hackers, backed by generous resources generally available to a nation state, might be behind it.
According to The Wall Street Journal, investigators say that the hack targeting Anthem was carried out using malware seen to have been used almost exclusively by Chinese cyberspies.
Hackers may have acted in the interest of pure profit
On the other hand, advanced threats are no longer exclusively used by governments, and cybercriminals have started to adopt complex tactics and techniques to reach their money-making goals, targeting financial institutions in particular.
The number of such incidents increased lately, making security experts at Kaspersky draw a somber conclusion at the end of 2014: “In 2015, we expect to see another stage in the evolution of cyber-criminal activity with the adoption of APT [advanced persistent threat] tactics and techniques in financially motivated online criminal activity.”
Furthermore, some governments pull cyber-espionage jobs by hiring mercenary hackers, who use their custom tools. By doing so, even if a nation-state is obviously the real threat actor, there is a slim chance, if any, of finding clues in the malware code or the attack itself to connect it to the incident.
Oftentimes, these hackers engage in financially motivated cyber-operations for themselves, and rely on the same set of tools and tactics used in cyber-espionage activities commanded by their government employers.
The value of personally identifiable information (PII) is higher than that of payment cards and the health care sector is known to be deficient in protecting customer data. Cybercriminals are well aware of these facts and it would make sense to focus on companies in the health care industry, be they providers of insurance policies or of medical services.
Martin Walter, senior director at RedSeal, said via email that PII and SSNs are worth ten times the value of credit card information on the black market.
“Credit card information in retail tends to be better protected than personally identifiable information and Social Security numbers in healthcare, even though it’s less valuable in terms of selling price. It was only a matter of time until hackers found out that it’s much easier to go after Social Security numbers and personally identifiable information with healthcare providers,” Walter says.
The possibility of cyber-espionage is not to be excluded though, since security firms investigating this type of incidents have seen great interest from threat actors in collecting PII that could be later used in other attacks.
Hackers used legitimate credentials to query the database
The attack on Anthem’s computer systems is not an amateur job, this is certain. Some argue that preventing the info from becoming an asset to the attackers could have been achieved through encryption.
Reports from multiple news outlets say that Anthem’s data-at-rest (when it is stored on the system) was not encrypted, pointing to the fact that the intruders could access it in plain text.
Encryption can be used to protect information both when it is in stored state and in transit. It ensures that no one but authorized individuals can view it in the clear.
In a memo from Anthem to its clients (obtained by CSO Online), the company informed that a database administrator noticed a query using his log-in credentials, which he did not initiate.
In this case, encryption could not have helped prevent access to the plain text database because legitimate credentials were used to reach it.
This does not mean that encryption does not have its benefits, only that better protection of the system is needed, so that credentials that would unlock the data don’t fall into the wrong hands.
As per the document from Anthem, the unauthorized database query activity started on December 10, 2014, and continued sporadically until January 27, 2015. The initial investigation of the company showed that the log-in credentials of multiple administrators had been compromised.
After learning of the unauthorized access, the company reset the passwords and secured the warehouse storing the database. At the moment, the services of cyber incident response firm Mandiant have been contracted to plug security holes and improve protection of the network. Law enforcement is also on the case as the FBI has been called in.
