Hackers create alternate network to prepare the attack

Feb 10, 2015 10:40 GMT  ·  By

A connection has been discovered between the compromise of Anthem health insurer’s network and the infrastructure used by the Chinese espionage group known as Deep Panda, one of the resources suggesting a breach that may have occurred since April 2014.

In 2004, Anthem acquired WellPoint Health Networks, Inc., and the company adopted the name WellPoint Inc. In December 2014, the name was changed to Anthem Inc.

Security blogger Brian Krebs collected information available to the public and found evidence pointing to the fact that the hackers were present in Anthem’s computer network, probably in reconnaissance, nine months before the company noticed the suspicious queries to its customer database.

Evil infrastructure created to mimic the legitimate one

Following the trail of open-source details about Deep Panda, a name given by researchers at Crowdstrike, Krebs found that one IP address used by the cyber-espionage group was once used to host the “we11point.com” domain, a clear attempt to make it look very similar to the one used by Wellpoint, “wellpoint.com.”

Further investigation from Krebs revealed that the domain had been registered on April 21, 2014 by a service in China, and just eight minutes later the registration details were updated to erase any trace to China.

With help from ThreatConnect’s CIO Rich Barger, a larger plot was uncovered, as cached DNS data from Passive DNS database showed that subdomains for the fake WellPoint domain had been created, with an explicit intent to replicate the legitimate computer infrastructure of the health insurer, as it existed in April 2014.

“We were able to verify that the evil we11point infrastructure is constructed to masquerade as legitimate Wellpoint infrastructure,” Barger told Krebs.

Digital signature reveals Deep Panda implication

The threat actor also set up domains to impersonate the VPN (virtual private network) service used by WellPoint to provide its employees with secure access to the internal network from outside.

A scan on VirusTotal for a malware sample posing as the Citrix VPN software used by WellPoint was found to be linked to the we11point.com domain. The threat was signed with a digital certificate that CrowdStrike and other security companies identified to be employed by the Deep Panda group.

By replicating the legitimate infrastructure, the threat actor could engage in spear-phishing attacks on the company’s employees with access to sensitive parts of the network. Once malware was planted, they could analyze the structure in order to devise methods for deeper infiltration.