China Suspected in Anthem Healthcare Hack

Bloomberg’s Michael A Riley and Jordan Robertson report that state-sponsored Chinese hackers are suspected in a data breach of the U.S.’ second largest health insurer, Anthem, which may have compromised personal information of as many as 80 million customers.

The attack appears to follow a pattern of thefts of medical data by foreigners seeking a pathway into the personal lives and computers of a select group – defense contractors, government workers and others, according to a U.S. government official familiar with a more than year-long investigation into the evidence of a broader campaign.

[…] In the past year, Chinese-sponsored hackers have taken prescription drug and health records and other information that could be used to create profiles of possible spy targets, according to Adam Meyers, vice president of intelligence at Crowdstrike, an Irvine, Califorinia-based firm. He declined to name any of the companies affected.

[…] Meyers said the breach fits the pattern of a unit that Crowdstrike calls Deep Panda, which over the last several months has targeted both defense contractors and the industry. China appears to be putting together huge databases of individuals who might be intelligence targets, he said. Another example was the theft last year from a government agency of data on tens of thousands of employees who had applied for top-secret clearances, he said. [Source]

Crowdstrike’s Shawn Henry told Bloomberg in a video interview that the usual suspect in a case of this kind would be a criminal organization, but that having looked “at some of the tactics and techniques that were utilized […] we believe that there is a degree of confidence that China is involved.”

At The Intercept, meanwhile, Glenn Greenwald reports that even as Western governments condemn , their intelligence agencies are “riding on the coattails of hackers” by capturing and mining the information they obtain. China is not named as a target of this hacker-hacking, but a list of material gathered suggests a strong possibility.

The hackers targeted a wide range of diplomatic corps, human rights and democracy activists and even journalists:

INTOLERANT traffic is very organized. Each event is labeled to identify and categorize victims. Cyber attacks commonly apply descriptors to each victim – it helps herd victims and track which attacks succeed and which fail. Victim categories make INTOLERANT interesting:

A = Indian Diplomatic & Indian Navy
B = Central Asian diplomatic
C = Chinese Human Rights Defenders
D = Tibetan Pro-Democracy Personalities
E = Uighur Activists
F = European Special Rep to Afghanistan and Indian photo-journalism
G = Tibetan Government in Exile

In those cases, the NSA and its partner agencies in the United Kingdom and Canada were unable to determine the identity of the hackers who collected the data, but suspect a state sponsor “based on the level of sophistication and the victim set.” [Source]

Read more on hacking and the regular exchange of accusations between China and the U.S. via CDT.