Anthem Attackers Tied to EspionagePrioritize Defenses, Not Attribution, Says Symantec's Thakur
A very high-profile series of attacks has been attributed to an apparently well-financed group operating out of China that's known as Black Vine. The group's victims include healthcare insurance provider Anthem, resulting in the theft of 80 million records, but the organization has also been tied to attacks against aerospace and aviation companies, gas turbine manufacturers, as well as organizations in the finance, military and healthcare sectors, says Vikram Thakur, a senior security researcher with Symantec (see Anthem Attribution to China: Useful?).
"The group itself is probably not using the data, but they are giving it to somebody else, and that somebody else is looking for either specific information, pertaining to certain people under that healthcare provider, or people who belong to a certain organization," Thakur says (see Report: Mercenaries Behind APT Attacks). "But the data is definitely not going to be used 'as is.' It's pretty evident that the data would need to be combined with something else in order to achieve the goals that the people behind the real attacks intended."
Black Vine also appears to be one of a number of group of attackers - all of whose attacks have been attributed to groups or individuals based in China - who make use of the so-called Elderwood Project , which appears to not only sell zero-days exploits that "buyers" get the exclusive use of for a short period of time, but also attack components. Notably, Black Vine also uses custom-built malware for establishing a backdoor on infected systems, giving attackers a beachhead inside networks and allowing them to conduct quiet, low-and-slow reconnaissance and exfiltration, Thakur writes in a new report on Black Vine.
Finding: Espionage Only - No Cybercrime
Black Vine appears to steer clear of cybercrime. "When we look at the viruses and the worms that these people write, it's very easy to distinguish one from the other," Thakur says. "One is literally trying to give control of the computer to the remote attacker, and on the other side - on the cybercrime side - we see all it's doing is looking for very specific financial information and sending that back to the attackers' infrastructure."
In this interview with Information Security Media Group, Thakur also discusses:
- Analysis of whether the Anthem and U.S. Office of Personnel Management breaches are related - and if that even matters for victims.
- Defensive steps organizations must take to defend against groups that use exploit techniques akin to the Black Vine group;
- The need to implement a "policy of least privilege";
- Why CISOs must treat all attacks equally, be they of supposed cybercrime or cyber-espionage origin.
Thakur is a senior manager within Symantec's Security Response team - Symantec's first global threat-intelligence team, which he founded - and now manages a team of analysts who investigate, research and compile actionable intelligence from the vast number of attacks that happen daily. Thakur also regularly liaises with outside researchers organizations as well as law enforcement agencies around the world. He has previously held a number of research-related roles at Symantec, and worked as a network and system administrator at Florida State University.