February 27, 2015
By: Ellen Nakashima
A Northern Virginia cyber security firm says it has uncovered links between Chinese government-sponsored researchers and the hack of health insurance giant Anthem.
Malicious software used in the Anthem hack conclusively matches malware that was used to target a small U.S. defense contractor and that the FBI has said originated in China, said Rich Barger, chief intelligence officer of ThreatConnect.
“The malware is so unique–the digital signature is so precise–in these two incidents that we strongly feel the same Chinese actors were involved,” Barger said.
He said the links do not reveal who exactly carried out the Anthem hack but point to involvement of Chinese government-sponsored entities.
The company’s report comes as FBI officials say they are close to determining who was behind the Anthem intrusion, which was discovered last month and which breached the Social Security numbers and other personal data of 80 million current and former members and employees.The FBI also suspects that China was behind the breach, people close to the investigation have said.
“We’re very close already but we’re not going to say it until we’re absolutely sure,” Robert Anderson Jr., executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, said this week at a reporters’ roundtable. He said, too, that the FBI “may or may not” make its conclusion public. Factors that affect the decision include whether there are other operations or investigations that could be hindered by public attribution.
The contractor, VAE of Reston, Va., was targeted last year but was not successfully breached, according to Brian Krebs, a security blogger. However, the hackers made a mistake in their attempt on the firm, Barger said.
They used the same computer server to try to break into VAE’s networks and to host a hacking competition sponsored jointly by a university research center and a defense contractor–both with ties to Chinese military and intelligence agencies, he said.
The hacking contest, TOPSEC Cup, was sponsored by Southeast University’s Information Security Research Center in Nanjing and Beijing Topsec Network Security Technology Co. Ltd., a company founded in 1995, and which, according to its founder, received half of its start-up capital from the Chinese People’s Liberation Army (PLA).
The contest Web site, topsec2014.com, and the command server used to direct the attempt on VAE had the same computer or “Internet protocol” address, Barger said. The IP address was apparently inadvertently included in the malware used in the VAE attempt, he said.
The contest was held in the same period–May 2014–in which VAE was targeted, Barger said. It is possible that the hacking attempt was part of the competition, he said.
One of the prizes was internships at Beijing Topsec, which recruits for the PLA and undertakes projects for the Ministry of Security Service, an intelligence agency, according to James Mulvenon, vice president for intelligence at Defense Group in Vienna Va., which collaborated with ThreatConnect. “They’re clearly one of the contractors of choice for both the MSS and the PLA,” he said.
The university research center is sponsored by Beijing Topsec, which does research for the government on network security issues, Mulvenon said. A university professor who organized the competition, Song Yubo, also conducts high-tech research for the government, he said.
ThreatConnect also sees a possible link between the VAE incident and an intrusion into the Office of Personnel Management computers last year. The hackers in both incidents created Web sites masquerading as internal VAE and OPM sites. Tradecraft analysis found that the hackers who set up the sites were likely the same, Barger said.
In recent months, Chinese hackers have broadened their sights beyond corporations with trade secrets to companies and government agencies with large sets of personal data that could be useful for purposes other than identity theft or fraud.
Last year, Community Health Systems in Tennessee reported that hackers “originating from China” copied the personal data–names, addresses and Social Security numbers–of 4.5 million patients. Also last year, Chinese operators breached OPM, which stores data on up to 5 million federal employees and contractors with security clearances. They also reportedly hacked USIS, a contractor that conducts background checks for the Department of Homeland Security, and the U.S. Postal Service–in both cases gaining access to large sets of personal data.
Having such caches of information could aid in the targeting of specific government employees or individuals close to them by enabling the crafting of tailored “spearphish” emails to get a target to click on a link infected with malware. They could also be used to understand how large datasets are structured, to enable the manipulation of databases, or to deceive, by creating records that look like existing records.
Director of National Intelligence James R. Clapper Jr. on Thursday told Congress that analysts see a possible threat from hackers seeking to “change or manipulate” data, which would impair decision-making by government officials and corporate executives if they cannot trust the information they are receiving.