Security Audit of Premera Found IssuesAgency Conducted Review Before Attack Apparently Started
About a month before hackers apparently launched a cyber-attack on Premera Blue Cross, a federal watchdog agency gave the health insurer 10 recommendations for how it should address various security weaknesses discovered during systems audit.
Among the weaknesses found by the Office of Personnel Management's Office of Inspector General's audit were issues related to patch management, insecure server configurations and weakness related to password history configuration settings.
An OPM OIG spokeswoman tells Information Security Media Group: "We do not know how the [Premera] breach occurred, so we cannot comment on whether the weaknesses we found in our audit contributed."
The onsite portion of the audit was conducted during January and February of 2014, with additional offsite audit work performed by OIG before and after the on-site visit. The draft report that OIG issued to Premera on April 18, 2014, was based on Premera's security controls as of March 2014, according to a final version of the report that OIG issued publicly in November 2014.
In a statement earlier this week, Premera, based in Mountlake Terrace, Wash., said that on Jan. 29, it discovered that cyber-attackers had gained unauthorized access to its systems, exposing information on 11 million individuals. An investigation by forensic experts hired by Premera shows that the initial attack occurred on May 5, 2014, the insurer says. That's less than a month after OIG issued its draft audit report.
Among OIG's recommendations in its draft audit report was that "Premera implement procedures and controls to ensure that production servers are updated with appropriate patches, service packs, and hotfixes on a timely basis."
The health plan responded June 30, 2014: "Premera agrees to implement procedures and controls for appropriate deployment of service packs and hotfixes by Dec. 31, 2014. However, Premera respectfully disagrees with the section of the recommendation related to patches as it believes deployment of critical security patches is in compliance with the documented patch management policy provided to the OPM audit staff."
In its reply to Premera's comments, OIG wrote, "The results of the vulnerability scans performed during the fieldwork phase of this audit indicated that Premera was not in compliance with its policy for deploying patches within a specific timeframe based on criticality. As part of the audit resolution process, we recommend that Premera provide OPM with evidence that it has adequately implemented this recommendation."
It's difficult to determine whether the recommendations OIG made to Premera, if immediately implemented, would have made a difference in thwarting the cyberattack, some security experts say. In any case, "failure to patch and unsecure configurations are vulnerabilities we've known about for decades," says privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group.
"Regardless of whether they contributed to this latest attack, every organization - large and small - should pay attention to such common issues," she says. "Make it a priority to keep up with patches. Run vulnerability scans and respond to them by correcting security problems. Make sure your tech and infosec staff understand these security risks, and train them if not."
Eric Earling, a Premera spokesman, tells Information Security Media Group that the review by OPM OIG was a "routine audit" that was conducted because the health insurer offers health plans for federal employees. Regarding the various OIG recommendations, he says, "Premera implemented the steps it said it would take."
The audit's findings about Premera's security, and the cyber-attack on the company, are unrelated, "separate" issues, Earling contends, adding that the report also noted that OIG had not found any HIPAA security compliance issues.
In its final Nov. 28, 2014, audit report, OIG wrote, "Premera has implemented a series of IT security policies and procedures to adequately address the requirements of the HIPAA Security Rule. Nothing came to our attention to indicate that Premera is not in compliance with the various requirements of HIPAA regulations."
Some security experts say the attack on Premera may have begun months earlier than May 2014, as the insurer reports. For instance, ThreatConnect, a threat intelligence product and services vendor, says it has found evidence that an attack on the health insurer's infrastructure may have started as early as December 2013, or at least a month before OPM OIG began its onsite audit.
In response to those assertions, the OPM OIG spokeswoman says: "We would not have detected the breach if it had started while we were on site. Our audit objective is to evaluate an organization's it security controls and processes, not to monitor network activity at the time of the audit."
As to how hackers were able to access Premera's systems, "it's hard to know," says Robert Hansen, vice president of WhiteHat Labs, part of security testing firm WhiteHat Security. "It's not even clear to me that it was a Web-based vulnerability. It could have, for example, been malware sent via an email or drive-by download, but statistically speaking it was probably SQL Injection or Command Injection if it involved customer records."
The Healthcare Information Trust Alliance, an information sharing organization, says it had published for its members multiple reports about suspicious activity related to Premera about a month before the company announced the breach.
In addition HITRUST, in conjunction with ThreatStream, a provider of threat intelligence technology, "continues to work with intelligence sources related to the suspicious domain 'prennera.com,' which is linked to Deep Panda's phishing attack method also leveraged in the recent Anthem breach," HITRUST says. "Early speculation is this [Premera] breach is also tied to threat actor Deep Panda, and the initial incident may date back as far as May 2014."
Deep Panda is the code name assigned by adversary-tracking firm CrowdStrike to a group of hackers - operating from China - which it refers to as "one of the most advanced Chinese nation-state cyber intrusion groups." The group is also known as KungFu Kittens, SportsFans, PinkPanther and "Shell_Crew," according to information security firm RSA.
Earling tells ISMG that the hackers did not exfiltrate the data that was exposed. And while the data was encrypted, "the way the data was accessed rendered the encryption moot," he adds, declining to elaborate.
Commenting on whether the Premera attack could be related to the hack against health insurer Anthem Inc., which resulted in a breach impacting 78.8 million individuals, Earling says the two incidents are "two different cyber-attacks, two different issues." He declined to comment on speculation by some security experts that China is involved in either attack.
Earling also wouldn't comment on the possible motives for hackers to access Premera's systems but not exfiltrate data. "It's impossible to say why we were targeted."
Premera waited about six weeks to announce the breach after discovering the attack based on the advice of experts involved in the investigation, he says. That's because the insurer first took steps to "cleanse and secure its IT system" before revealing it was aware of the intrusion. "If the breach is announced before that, cyber-attackers [if still in the systems] get more malicious, putting more data at risk," he says of the advice the investigators gave Premera.
The 11 million individuals affected by the breach "across the country" are being notified now, he says.