Anthem Attribution to China: Useful?Report Links Breach to Chinese Professor; Experts Respond
New clues have emerged, further suggesting that the hack of health insurer Anthem was launched from China (see Anthem Breach: Chinese Hackers Involved?). Some information security experts say that attribution offers vital clues, but others question its applicability to the businesses that must defend themselves against APT attackers.
The breach of Anthem - formerly known as Wellpoint - exposed personally identifiable information for nearly 80 million people in the United States, including names, dates of birth and Social Security numbers, among other data (see Anthem Breach Tally: 78.8 Million Affected). The breach made it clear that hackers were gunning for healthcare data.
Now, a new report from ThreatConnect, a threat intelligence product and services vendor, ties the malware used in the attack to malicious code that it says has been exclusively used in the past by Chinese APT groups. The report, which is based on "open source intelligence" - information collected from public sources - also links the attack to a professor at China's Southeast University in Nanjing.
Anthem declined to comment on the ThreatConnect report. "We're working with the FBI to investigate, and it's too soon to offer any insight," Anthem spokeswoman Leslie I. Porras tells Information Security Media Group.
Malware: Derusbi, Sakula
The report details multiple parallels between the Anthem hack and a May 2014 phishing attack against U.S. defense contractor VAE. The report says that the VAE attackers - whose phishing attempt failed - used "Derusbi" malware that was digitally signed using a valid signature from Korean software firm DTOPTOOLZ. "Derusbi is a family of malware used by multiple actor groups but associated exclusively with Chinese APT [espionage groups]," the report says, noting that it is designed to provide backdoor access to a targeted network. Threat-intelligence vendor Crowdstrike has traced the use of the signature to a Chinese APT group that it calls Deep Panda, which is also called Kung Fu Kittens, Shell_Crew, WebMasters, SportsFans, and PinkPanther.
The apparent Anthem connection comes via its having been attacked with a Derusbi malware variant called "Sakula," a.k.a. Sakurel, that was signed using the same DTOPTOOLZ signature, which researchers say suggests that the same group is behind both attacks. Another parallel was attackers' use of faux IT infrastructure for their command-and-control servers, such as a fake domain named "sharepoint-vaeit.com" to attack VAE, and the fake domains "extcitrix.we11point.com and "www.we11point.com" against Anthem, according to the ThreatConnect report.
As with the VAE attack, the choice of attacker-controlled domain names - "we11point" with the number "11" - was an apparent attempt to disguise the malicious infrastructure, perhaps if someone was inspecting network logs for signs of malicious activity. For example, the Citrix server would have implied that it was being used for remote access. "This provided initial insights as to the likely targeting themes and/or vectors in which the adversary may have used when initiating their targeting campaign," ThreatConnect says.
Links to Chinese University
The Anthem-targeting malware also "phones home" to a command-and-control server that may be tied to the Information Security Research Center at China's Southeast University. The report makes that assertion based, in part, on its finding that the email handle used to register the C&C domain was "TopSec_2014@163.com" - "163" is a popular Chinese Web portal. ThreatConnect also found that the vast majority of search results for the very similar email address "TopSec2014@163.com" lead to an online announcement pertaining to "an information security competition sponsored by the Southeast University-Topsec Information Security and Mobile Internet Technology Joint Research Center," which appears to be a joint research venture between the Southeast University and Chinese networking firm Beijing Topsec Network Security Technology, a.k.a. Beijing Topsec.
The contact point for further information about that competition is listed as being Southeast professor Song Yubo at the TopSec2014@163.com email address. ThreatConnect says the email spelling variation is hardly proof of suspicious activity, except that "Yubo has in fact been previously named as a person of interest in the context of offensive Chinese cyber activity," and cites another study from defense contractor Northrup Grumman.
The researchers also found interesting timing overlaps. "The real smoking gun ... was when we began to notice a strong temporal overlap with the various stages of the Topsec Cup that Song and Beijing Topsec were organizing, and the registration dates of malicious infrastructure as well as the malware compilation dates," the report says, including the dates on which the Sakula malware was compiled, and the C&C servers created.
Multiple security experts say they concur with ThreatConnect's findings. "An outstanding report - logical connections and outstanding intelligence and investigative work," says Tom Chapman, director of the security operations group at computer security firm EdgeWave, noting that while it makes some "leaps," he feels they're justified. "The strength of the report is the linking of the university professor. Following the email and registration chain can give you great leads on the source. Nothing ever disappears on the Internet. The records can go back, and even changing or updating records will only fool those who don't know how to go back even further."
Chapman says he read a shorter version of the report distributed last week by the FBI as a flash alert - which is only a few pages long, and lists hashes for malware files, and known-bad websites - which adds another detail about the Anthem hack: attackers used HUC Packet Transmission tool, a.k.a. HTran, which was reportedly created by the notorious Chinese hacker Lin Yong, a.k.a. "Lion," of the patriotic hacking group known as the Honker Union.
While the purported source code for HTRan is now available online, ThreatConnect notes that Beijing Topsec had employed Lin Yong "in the early 2000s as a security service engineer and to conduct network training," thus suggesting another potential connection between Beijing Topsec and the hacking community.
Target: Human Intelligence
Cyberattack tradecraft expert Shawn Riley, who's executive vice president of the Center for Strategic Cyberspace + Security Science, a London-based think tank, also concurs with the report's findings. "From a takeaway perspective, unlike cybercrime campaigns which traditionally focus on taking data that can be sold for a profit, APT campaigns are more likely to target information surrounding an organization's operations. In this case it was health data for people which could be used in human intelligence (HUMINT) operations," he tells ISMG.
Indeed, multiple security experts note that Anthem was storing data - and in bulk - for many people who work for the U.S. government or defense sector. "If an adversary knows you are sick, they may seek to take advantage of that," Chapman says. "An offer of money or cure for an individual or family member would be very tempting to some." Stealing people's personal information would also allow attackers to conduct further reconnaissance. "There is tons of information I could gather on an individual if I had their PII."
Does Attribution Help?
By ascertaining motives and attack specifics, Riley says experts can better predict how and where attackers will next strike. "Attribution is really a key to turning threat data and information into intelligence and is required to move from reacting to the threats, to being proactive and even predictive," he says.
But some experts question whether such information is relevant for corporate information security programs. "Attribution is for law enforcement," says management consultant and information assurance trainer William Hugh Murray. "The rest of us should be worried about why prevention failed, mitigation and remediation."
Likewise, Jeffrey Carr, president and CEO of cybersecurity consultancy Taia Global, which also develops counter-reconnaissance software, warns that numerous assumptions may underlie such attribution. For example, he singles out the related nomenclature that's evolved - designating activity as belonging to a specific APT gang, or a "something-Panda" group - as "making assumptions about who's who and who uses what tools," which he argues is an artificial construct.
"I have no idea who was behind Anthem, and in my opinion it doesn't make a whit of difference from the victim organization's perspective," he tells ISMG. "They have to defend their critical data from all comers, and their defense shouldn't be dependent upon 'who' the attacker is. Attribution is only useful between governments - not between companies."