Breach using spear phishing and backdoors exposed data for 78.8 million people.
Federal prosecutors have indicted a Chinese national they say carried out sophisticated network intrusions on four US companies, including one on health insurer Anthem that stole personal information belonging to close to 80 million people.
Fujie Wang—a 32-year-old resident of Shenzhen, China, who sometimes used the first name Dennis—was part of a hacking group that gained entry to Anthem and three other unnamed companies, according to an indictment unsealed on Thursday. Along with other members of the group, he carried out the hacks using spear-phishing emails that lured employees of the companies to malicious websites. The websites, in turn, installed backdoors on the employees’ computers. The defendants allegedly used the compromised computers to penetrate the networks.
In some cases, the indictment alleged, the hackers would wait months before identifying and harvesting sensitive data stored on the networks, presumably to prevent calling attention to the breaches. The series of intrusions spanned from February 2014 to January 2015. Two of the three unnamed US companies were in the technology and basic materials industries. The third provided communications services.
On February 18, 2014, Wang’s group allegedly sent a spear-phishing email to employees of an Anthem subsidiary. The attack ultimately resulted in at least one of the subsidiary’s computers being infected with malware. On May 13, the group accessed Anthem’s network and infected one of the computers connected to it. Over the next few months, prosecutors said, the hackers carried out a variety of other fraudulent acts.
In one case, Wang “validated with the applicable registrar his control over a domain” he had previously registered using false information. In the following months, the gang continued to access the networks of Anthem and some of the other targeted companies. In some cases, the gang used virtual private servers and the Citrix ShareFile service to steal archive files containing confidential business information. The hackers allegedly used other domains they had registered to carry out the intrusion, although it wasn’t clear how or precisely what role the domains played.
According to the indictment, the group operated inside Anthem’s network for 11 months, starting with the spear-phishing email in February until incident responders ejected the hackers in January 2015. The group needed about nine months before it could access the enterprise data warehouse that stored Anthem’s customer records.
The Black Vine connection
The allegations come 46 months after security firm Symantec said the group that carried out the network intrusion on Anthem breached more than a dozen other companies in a three-year span starting in 2012. The group, which Symantec dubbed Black Vine, was financed well enough to have a reliable stream of weaponized exploits for zero-day vulnerabilities in Microsoft’s Internet Explorer browser. Symantec said Anthem didn’t appear to be a primary target of Black Vine but rather a secondary interest that was intended to further advance a primary interest in companies in the aerospace, energy, military, and technology industries.
Symantec researchers weren’t available for an interview on Thursday, but through a spokeswoman, Vikram Thakur, a senior security researcher with the company, said that “the details, dates and methodologies outlined in the indictment are in line with Symantec’s research on Black Vine.”
Wang and a John Doe defendant are charged with four counts of conspiracy to commit fraud, identity theft, and computer hacking. Wang is currently at large and being sought by the FBI.