Alleged Anthem Hackers in 2015 Cyberattack and Theft of 78.8 Million Records Indicted

The U.S. Department of Justice charged two Chinese nationals for allegedly instigating the 2015 hacking of Anthem Inc. Fujie Wang, 32 years old, and an unnamed guy were charged in a 4-count indictment in connection with the Anthem cyberattack, where in 78.8 million health insurance records were stolen, and three more cyberattacks on U.S. businesses from 2014 to 2015.

The allegations stated in the indictment revealed today summarize what a China-based computer hacking group did to commit one of the most detrimental data breaches ever. The defendants purportedly attacked U.S. businesses in four distinct industries and breached the privacy of more than 78 million individuals by stealing their personally identifiable information (PII).

The charges include

  • one count of conspiracy to commit fraud and associated activity relating to computers and identity theft
  • one count of conspiracy to commit wire fraud
  • two counts of deliberate harm to a protected computer

Based on the indictment, Wang and the hacking group’s other members conducted highly advanced cyberattacks on businesses beginning in February 2014. The attacks persisted until around January 2015.

The attacks started out by targeting employees of business and sending them spear phishing emails. The emails had hyperlinks to a malicious site in them. If a recipient clicks on the links, a file with a malware downloaded is downloaded. Upon file execution, there’s a backdoor installed in the system allowing hackers to access the business network via a server that the hackers controlled. Wang was charged of registering two domains employed for the spear phishing attack and sending emails with the malware.

After accessing business systems, the hackers worked laterally to search for data of interest, in certain instances waiting months prior to going forward with the attack. In the case of the Anthem attack, systems were accessed several times from October to November 2014. The purpose was to look for plan members’ sensitive business information and personally identifiable information.

Identified sensitive data were merged into encrypted archive files and then exfiltrated via a number of computers to locations in China. The huge amounts of information were exfiltrated from Anthem on several instances in January 2015. After data exfiltration, the hackers erased the archive files to avoid detection. Wang’s connection to the attacks on the other businesses were traced through the two domains employed in the Anthem attack.

The FBI launched an investigation immediately when the attacked companies reported the breaches to the FBI. Because of the continued cooperation of the attacked companies with the FBI, the people behind the cyberattacks were successfully identified.

The quickness of Anthem in notifying the FBI regarding the attack was a major factor for successfully determining the culprits for the breach. Other organizations should do the same in case found in a similar situation.