Chinese Men Charged With Hacking Health Insurer AnthemData of 78.8 Million Individuals Was Encrypted, Sent to China, US Alleges
Two Chinese men have been indicted on charges related to the breach of health insurer Anthem, which saw the personal information of 78.8 million individuals stolen, as well as attacks against three other large U.S. companies.
Fujie Wang, 32, of Shenzhen, China, is charged with conspiracy to commit fraud, conspiracy to commit wire fraud and two counts of intentional damage to a protected computer. The indictment was filed on Tuesday and unsealed on Thursday in federal court in Indianapolis, where Anthem - formerly known as Wellpoint - is based.
An unnamed man believed to have worked from China was charged with the same counts. His nicknames are listed as Deniel Jack, Kim Young and Zhou Zhihong, prosecutors say in the indictment.
The indictment shows that early hunches that hackers working from China may have been responsible for the Anthem appear to have been confirmed by U.S. investigators (see: Anthem Breach: Chinese Hackers Involved?).
The U.S. doesn't have an extradition treaty with China, so there is likely little chance of the two men charged ever facing trial. But the U.S. has continued to pursue criminal charges against suspects inside and outside of China, in part to send a message.
In August 2017, the FBI arrested Yu Pingan of China, who was charged with allegedly distributing a remote-access Trojan called Sakula. The malware was used against Anthem as well as the U.S. Office of Personnel Management, which exposed the personal information of more than 22 million individuals (see: Chinese Man Allegedly Tied to OPM Breach Malware Arrested).
The indictment does not allege that Wang and the other man were working with China's government, although that has been speculated. Personal data stolen from Anthem never appeared for sale or circulated online, leading to a suspicion that the group behind it may have been a state-sponsored operation.
Prosecutors allege Wang and his colleague targeted three other U.S. businesses. All three are described as large, with one in the technology sector, one in basic materials and one in communication services. All three "had to store and use large amounts of data," according to the indictment.
Not long after the Anthem breach became public in January 2015, the FBI circulated a memo warning that attack tools used in recent breaches matched those used by a group dubbed Deep Panda. According to Mitre, the group is also known as Shell Crew, WebMasters, KungFu Kittens and PinkPanther.
Anthem wasn't mentioned in that memo, which was first reported by Brian Krebs, but the memo referenced other intrusions against U.S. government and private entities that stole personally identifiable information.
The indictment gives new details into how Anthem and the other companies fell victim. The activity started around February 2014. Employees of the companies were sent phishing emails with malicious hyperlinks leading to malware. If executed, a backdoor was installed. The attackers then sought to move laterally across the victims' networks, escalating privileges and making network changes, according to the indictment.
"Defendants sometimes patiently waited months before taking further action, quietly maintaining access to the victim's network," the indictment says.
Then, they searched for personally identifiable and confidential information. With Anthem, they discovered its enterprise data warehouse that contained the data on 78.8 million people. The information included names, birth dates, Social Security numbers, addresses, phone numbers, email addresses, employment information income data and more.
The two defendants ran queries on the data and then placed it in encrypted archive files, prosecutors allege. The attackers created a free trial account with Citrix's ShareFile data storage and transferred the data to other servers in the U.S.
From the U.S., the data was then transferred to China, prosecutors allege. Eventually, they deleted the archives and ShareFile application. Anthem discovered the activity on Jan. 31, 2015, and the attackers lost access, the indictment says.
Largest Health Data Breach
The Anthem hack was the largest health data breach in the U.S. (see: Anthem Mega-Breach: Record $16 Million HIPAA Settlement) It also resulted in one of the largest breach-related lawsuit settlements - $115 million - which may only be topped by a proposed settlement related to Yahoo's breach (see: Yahoo Takes Second Swing at Data Breach Settlement).
Anthem also paid $16 million as part of a HIPAA settlement with U.S. regulators. The Department of Health and Human Services' Office for Civil Rights alleged that Anthem "failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people's private information."