Similarities with Wellpoint/Anthem Event Should be Understood
The recent announcement from Premera Blue Cross Blue Shield that it has fallen victim to a sophisticated cyber attack that reportedly compromised the medical and financial data of 11 million members is the latest in a series of high-profile cyberattacks targeting the medical and healthcare industry. ThreatConnect’s analysis has overturned similarities between independent Wellpoint and Premera-themed events.
Before we dig into the analysis, it is important to understand our methodology and goal in publishing our findings. As we see it, threat intelligence begins when you can connect the dots of past events, preferably from multiple independent data sources, to make sense of the threats that you may be seeing now – which then allows you to make better strategic decisions to mitigate risks in the future. The goal of this third party analysis is not to draw conclusions of exact details of either the Anthem or Premera breaches, but rather begin to answer the question that many observers ask in the wake of such a revelation, “How does this impact me?”
To answer that question, you don’t need every detail of a specific organization’s intelligence. You just need the data actually relevant to you in a format you can digest. By calling to light common indicators of compromise and other key similarities between notable events, organizations can break through the log jam of speculation and make informed decisions and formulate a risk mitigation process.
In February 2015, ThreatConnect published an in-depth blog post of its third party analysis of notable events which maintained Anthem/Wellpoint theme. Some of the biggest takeaways from this incident were:
- Context suggested possible Chinese state-sponsored involvement.
- Malicious binaries used in several campaigns were digitally signed by “DTOPTOOLZ Co.” a very unique stolen certificate.
- A common character replacement technique was used in the staging of malicious Premera and Wellpoint themed infrastructure – both observed within five months of each other.
All of those points create very compelling technical associations of what would otherwise be seemingly unrelated events. As we continued to uncover the nuanced details, we saw mounting evidence that this may not be an isolated activity. To demonstrate this, let’s walkthrough the analysis.
One of the strongest initial indicators that tipped us to the possible targeting of Anthem/Wellpoint was the registration and staging of malicious domains using the “we11point[.]com” theme, which was clearly masquerading as legitimate Wellpoint infrastructure. Notice the subtle character replacement technique used here to obfuscate the nefarious activity, as this will be an important pivot point in the near future. Through our analysis, we were able to determine that the Anthem/Wellpoint infrastructure staging began as early as April 2014.
Given that the DTOPTOOLZ certificate was so specific, we had strong inclinations to believe that other samples using this digital signature would likely be related to other events.
Pivoting off of the stolen DTOPTOOLZ certificate lead to the discovery of another malicious file first observed in December 2013. The binary was engineered to call out to an IP address that had previously hosted the imposter domain prennera[.]com as early as December 11th 2013 – the very same day the malware was first observed. Again, note the character replacement technique subsequently used in the Anthem/Wellpoint faux infrastructure.
As reported in our The Anthem Hack: All Roads Lead to China blog post, the use of the stolen certificate was not in fact unique to the targeted Anthem attack, but rather appeared to be tradecraft of a very sophisticated threat group targeting more than one organization that is plausibly interested in collecting Personally Identifiable Information (PIIs) of individuals associated with the U.S. Federal Government. Premera Blue Cross Blue Shield may have been one such organization.
All things considered, it appears feasible that contrary to initial media reports, it’s possible that attempts to breach or at least test weaknesses of Premera may have occurred as early as December 2013.