Menu
Premera, Anthem data breaches linked by similar hacking tactics

Premera, Anthem data breaches linked by similar hacking tactics

Security analysts last year saw a fake domain spoofing Premera's name

Premera Blue Cross may have been attacked using the same methods employed against its fellow health insurer Anthem, suggesting that a single group may be behind both breaches.

Customer data, including bank account and clinical data going back to 2002, may have been compromised in the attack, affecting 11 million people, Premera said Tuesday.

It is the largest breach to affect the healthcare industry since Anthem disclosed last month that upwards of 78.4 million records were at risk after hackers accessed one of its databases.

Several computer security companies have published data that points to a China-based group known as Deep Panda as a possible source for Anthem's breach.

But what is known is that the Anthem attackers created a bogus domain name, "we11point.com," (based on WellPoint, the former name of Anthem) that may have been used in phishing-related attacks. Companies try to detect such confusing domain names -- a practice known as typosquatting -- but are not always successful.

One of Deep Panda's attack methods is to create fake websites that imitate corporate services for companies. In Anthem's case, the attackers set up several subdomains based on "we11point.com," which were designed to mimic real services such as human resources, a VPN and a Citrix server.

By targeting Anthem employees with phishing emails and luring them to the fake sites, it may have been possible for the attackers to collect the logins and passwords and eventually access the insurer's real systems.

ThreatConnect, an Arlington, Virginia-based security company, found that Premera appears to have been targeted by the same style of attack.

On Feb. 27, ThreatConnect wrote a blog post describing its research into the Anthem attacks. In the course of that work, ThreatConnect found a suspicious domain name -- "prennera.com."

On Dec. 11, 2013, that domain name resolved to the same IP address as a malware sample seen by ThreatConnect. Even more interesting is that the malware sample was digitally signed with a certificate from DTOPTOOLZ Co., which appears to be a Korean company that at one time made advertising software.

A digital certificate is used to verify that a software program comes from the developer it purports to come from. But the certificates are occasionally stolen. They're especially useful for hackers, as one can make a malware program appear at least on first sight as legitimate.

In September 2014, the computer security firm CrowdStrike found a remote access tool called Derusbi that was often used by Deep Panda. The sample was also signed with a DTOPTOOLZ Co. digital certificate.

In another example, ThreatConnect found a spoofed domain last year that appeared to mimic defense contractor VAE, based in Reston, Virginia. Two malware programs -- Derusbi and another type of one called Sakula -- were linked to the spoofed VAE domain and signed once again with the DTOPTOOLZ Co. certificate.

It could be that the Korean company did not do enough to prevent its digital certificates from being stolen, and that it was pilfered by multiple hacking groups who have then used it in multiple, unrelated attacks. If not, it would be a strong indication that a single group is involved.

Anthem and law enforcement have yet to say who they believe may be responsible, and the Premera investigation is in its early stages. If an attacker is named, it could put further pressure on the U.S. government, which has shown less and less tolerance for what are classified as state-sponsored attacks.

In December, the U.S. government blamed North Korea for the devastating data breach against Sony Pictures Entertainment, one of the first times the government has so quickly and so directly attributed a single attack. The documents released included salary details, internal email and HR documents for employees. Other malicious code destroyed the hard drives of Sony computers.

In May 2014, U.S. federal prosecutors charged five members of the Chinese Army with stealing trade secrets from U.S. organizations over eight years in the first legal action of its kind. China, as is customary, denied the accusations.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Anthemsecuritydata breachPremera Blue CrossExploits / vulnerabilities

Featured

Slideshows

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

Revealed at a glitzy bash in Sydney at the Ivy Penthouse, the first StorageCraft Partner Awards locally saw the vendor honour its top-performing partners with ASI Solutions, SMBiT Pro, Webroot, ACA Pacific and Soft Solutions New Zealand taking home the top awards. Photos by Maria Stefina.

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards
Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

​Synnex and Lenovo hosted 18 resellers for an action-packed weekend adventure in RotoVegas, taking in white water rafting on the Kaituna River, as well as quad biking and dinner at Stratosfare​, overlooking Lake Rotorua at the top of Mount Ngongotaha​. Photos by Synnex.

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip
Show Comments