US health insurance giant Anthem confirmed last week that data on as many as 80 million customers at was stolen by hackers. The stolen information includes names, birth dates, social security numbers, street addresses, email addresses and employment information, the company said. It is very likely that this attack has been going on for months and there is strong evidence suggesting links to ongoing Chinese hacking campaigns.
The sophisticated attackers gained unauthorized access to one of Anthem’s IT systems (presumably using a stolen employee password) and have obtained personal information relating to consumers and Anthem employees who are currently covered, or who have received coverage in the past by the company.
This seems like a disturbing change in the familiar ways of Chinese cyber espionage. We’ve come to expect Chinese spies to infiltrate defense industry, auto maker and government networks to steal precious IP or for real political and military espionage purposes.
But a Health Insurer seems like an unusual target for these state of the art hackers. Why would a military unit or state-backed hacker bother with such an unexciting target? Surely they are not after the money (although it is known that medical and personal records yield a far greater profit on the underground markets than credit card data, making them very lucrative target for financial hackers). There are several speculation for this.
One notion is that this simply an exercise of sorts to train novice cyber troops, and as such a rather “soft” target was selected. Another, more intriguing is that they were looking for something or someone in particular- among those millions of customers must lay some high ranking officials (or their family members) and this information can be used for elaborate social engineering attacks which will eventually lead to the entrapment of a senior executive, providing access to very sensitive information. Another theory is that China simply hacks anything and everything American, and since they’ve pretty much breach and drained all the major industries (defense, aerospace, automotor, academia etc.) they are now moving to secondary targets, which provides them access not only to secret government information and lucrative technology, but also to the homes and bank accounts of average Joes.
Whatever the rationale for this breach, it is frightening to think that corporates, who until now only dealt with cybercrime, must now somehow mitigate this new threat actor with seemingly endless resources and motivation.
But when the actual breach is analyzed, it shows a rather simple (yet proven) attack method, and to a certain degree, the end result might be blamed on the victim’s lack of preparedness and not on the superb skill set and tools of the attackers. From what is known it appears that this breach, like so many before it, occurred using the stolen credentials of an employee -most likely with privilege access rights, like an administrator (some information indicates that credentials of 5 employees were utilized). Once they gained access to the network, the attackers took their time (some say the attacked started at December 2014, others say it started back in April) to locate the customer records which weren’t encrypted. They then managed to siphon at least some of these records outside the organization until the breach was detected. Utilizing privilege access rights allows the attacker to bypass most security controls and succeed in their mission. While the full extent of the damage is not yet clear (Anthem stock took a hit the day after the breach, but has recovered since, and the cost of cleaning up are not yet known) it is certain that the company’s reputation and credibility will suffer. It is also likely that the company’s management will pay the price for this breach- as was the case with Target and Sony breaches.
There are very few new things we can learn from this hack, and this is encouraging, since we know how to prevent such hacks from occurring. It is not easy and requires attention and perseverance, but the methodology is simple: identify the core assets of your organization (in this case- customer data), identify the attackers which are likely to threaten these assets (now we know that nation-state are also to be taken into account), identity their methods of operations and tools (in this case probably Spearphishing, use of privileged users and database manipulation ) correlate the two and see if your security controls are robust enough to thwart these threats. Simulate “what if” scenarios for different mitigation tactics to discover the optimal resource allocation which effectively reduces the risk – for example, investing in a better firewall would have done little to mitigate such attack, where’s better authentication, privileged used management and data leakage prevention (DLP) might have helped considerably). Make sure you take into account the non-technical security controls such as awareness training, HR recruiting and personnel background checks (we can never overrule the possibility of an insider). Conduct this assessment right and often (threat landscape changes constantly) and your organization stand a chance against these attacks. Every organization can be breached if enough time and resource are allocated by the attackers. The job as of the CISO and the IT security team is to lower that risk to an acceptable level by effectively utilizing their resources. With ample security controls in place, most attackers will simply look elsewhere.