5/3/2023 0 Comments Blue anthemThree days later, Anthem shut down the sysadmin account and then notified federal authorities as well as other regulatory entities. The suspiciously large query was however logged, and subsequently noticed by Anthem’s IT department on January 26, 2015. On December 10, 2014, the attacker queried and exfiltrated the PII data from the corporate data warehouse. Once the attacker controlled the sysadmin’s account and computer, they began to move laterally within Anthem’s network eventually compromising and escalating privileges on dozens of more user accounts as they discovered additional target systems. In addition to the disguised host name, the malware was themed as an Adobe Reader, Juniper VPN, or Microsoft ActiveX Control application to further appear innocent to the user. According to Symantec, Mivast and Sakula shared the following capabilities: open an I/O pipe as a backdoor command-and-control communications channel, execute files and commands, delete, modify, and create Windows registry keys, as well as collect and send information about the infected computer. The fake sites including, ,, and were used to pose as legitimate HR and IT services within the Anthem and Blue Cross enterprise network instead, they hosted command-and-control infrastructure for the Mivast and Sakula malware digitally signed by certificates stolen from DTOPTOOLZ, a Korean software company. Threat Connect Analysis of Anthem Data BreachĪccording to multiple documents published by Symantec, ThreatConnect, and the US government, a system administrator in Anthem’s Amerigroup subsidiary opened a phishing email with a malicious attachment and embedded links to typosquat web sites controlled by the Deep Panda group in early 2014. For fiscal year 2017, Anthem reported US$ 3.8 billion in earnings with annual revenue of $90 billion it handled more than 50 million service calls and processed more than 700 million claims in 2017. Through its portfolio of healthcare plans and services, Anthem serves over 40 million members and operates in 19 states 1 in 8 Americans are covered by Anthem, and interestingly from a reconnaissance perspective, about in 1 in 2 US federal government employees. In November 2004, Anthem and WellPoint merged to become the leading health benefits corporation in the USA and the largest for-profit licensee within the Blue Cross and Blue Shield Association. Anthem eventually became a publicly traded corporation in 2001 in so doing, it consolidated the Blue Cross Blue Shield organizations of several states to achieve further economies of scale. ![]() Headquartered in Indianapolis, Anthem grew from the union of two Indiana-based insurance companies, Mutual Hospital Insurance Inc and Mutual Medical Insurance Inc formed in 19, respectively. ![]() This essay will discuss details of the data breach made public, the business and technology factors that contributed to the system failure, and how to prevent such incidents from happening to your organization. For full disclosure to the reader, I was a customer of Anthem at the time of the event and was affected it. Anthem spent approximately $230 million on the cleanup of the data breach it included purchasing a cyber security insurance policy, settling class-action lawsuits, and paying for additional security services and cyber defenses. In the weeks and months that followed, investigators learned that Anthem employees had been targeted by a cyber warfare group affiliated with the government of the People’s Republic of China (PRC) this group which went by aliases such as “ Deep Panda” and “ Black Vine” had launched a sophisticated attack that tricked users with phishing emails connected to malicious websites masquerading as internal services, downloaded malware that infected their machines, and then compromised multiple user accounts throughout the Anthem network until the attackers were able to access and exfiltrate the corporate data warehouse containing the customer PII data. On February 4 2015, Anthem, a major health insurance company in the USA, announced to the general public that a computer hacker had gained access to its database and that 78.8 million records of Personal Identification Information (PII) were exposed including name, address, birth date, Medical ID, and Social Security Number (SSN).
0 Comments
Leave a Reply. |