Premera, Anthem data breaches linked by similar hacking tactics

18.03.2015
Premera Blue Cross may have been attacked using the same methods employed against its fellow health insurer Anthem, suggesting that a single group may be behind both breaches.

Customer data, including bank account and clinical data going back to 2002, may have been compromised in the attack, affecting 11 million people, Premera said Tuesday.

It is the largest breach to affect the healthcare industry since Anthem disclosed last month that upwards of 78.4 million records were at risk after hackers accessed one of its databases.

Several computer security companies have published data that points to a China-based group known as Deep Panda as a possible source for Anthem's breach.

But what is known is that the Anthem attackers created a bogus domain name, "we11point.com," (based on WellPoint, the former name of Anthem) that may have been used in phishing-related attacks. Companies try to detect such confusing domain names -- a practice known as typosquatting -- but are not always successful.

One of Deep Panda's attack methods is to create fake websites that imitate corporate services for companies. In Anthem's case, the attackers set up several subdomains based on "we11point.com," which were designed to mimic real services such as human resources, a VPN and a Citrix server.

By targeting Anthem employees with phishing emails and luring them to the fake sites, it may have been possible for the attackers to collect the logins and passwords and eventually access the insurer's real systems.

ThreatConnect, an Arlington, Virginia-based security company, found that Premera appears to have been targeted by the same style of attack.

On Feb. 27, ThreatConnect wrote a blog post describing its research into the Anthem attacks. In the course of that work, ThreatConnect found a suspicious domain name -- "prennera.com."

On Dec. 11, 2013, that domain name resolved to the same IP address as a malware sample seen by ThreatConnect. Even more interesting is that the malware sample was digitally signed with a certificate from DTOPTOOLZ Co., which appears to be a Korean company that at one time made advertising software.

A digital certificate is used to verify that a software program comes from the developer it purports to come from. But the certificates are occasionally stolen. They're especially useful for hackers, as one can make a malware program appear at least on first sight as legitimate.

In September 2014, the computer security firm CrowdStrike found a remote access tool called Derusbi that was often used by Deep Panda. The sample was also signed with a DTOPTOOLZ Co. digital certificate.

In another example, ThreatConnect found a spoofed domain last year that appeared to mimic defense contractor VAE, based in Reston, Virginia. Two malware programs -- Derusbi and another type of one called Sakula -- were linked to the spoofed VAE domain and signed once again with the DTOPTOOLZ Co. certificate.

It could be that the Korean company did not do enough to prevent its digital certificates from being stolen, and that it was pilfered by multiple hacking groups who have then used it in multiple, unrelated attacks. If not, it would be a strong indication that a single group is involved.

Anthem and law enforcement have yet to say who they believe may be responsible, and the Premera investigation is in its early stages. If an attacker is named, it could put further pressure on the U.S. government, which has shown less and less tolerance for what are classified as state-sponsored attacks.

In December, the U.S. government blamed North Korea for the devastating data breach against Sony Pictures Entertainment, one of the first times the government has so quickly and so directly attributed a single attack. The documents released included salary details, internal email and HR documents for employees. Other malicious code destroyed the hard drives of Sony computers.

In May 2014, U.S. federal prosecutors  of the Chinese Army with stealing trade secrets from U.S. organizations over eight years in the first legal action of its kind. China, as is customary, denied the accusations.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Jeremy Kirk