Governments have the scariest hackers. North Korea hacking Sony Pictures; Russia reportedly hacking a Ukraine power grid; China allegedly breaking into the New York Times — nation states have tremendous resources to pour into hacking their enemies. The difficulty of proving where an attack even gives countries some immunity. Russia is still denying it hacked the Democratic National Committee, even after being formally accused by the US.
Large data breaches of private companies are becoming more and more common. It's also becoming more common to point to foreign government attackers. That’s what Anthem, which suffered by far the largest health information data breach ever, is trying to do now.
Anthem disclosed in 2015 that hackers stole records containing extensive personal information for more than 78.8 million members and employees. The data included names, dates of birth, member IDs, Social Security numbers, addresses, phone numbers, email addresses, and employment information, including income data.
An examination into the Anthem breach conducted by business consulting firm Alvarez & Marsal and the Irvine, Ca. based cybersecurity firm CrowdStrike Services, Inc. concluded with “medium confidence” that the attack came from a foreign government, although it did not disclose which government.
The investigation covered the period from February 18, 2014, the date the attacker first entered Anthem’s system, through July 15, 2015, the last date on which Anthem provided information to the examination team. It was compiled in order to assess how much Anthem’s own insurers should have to pay for the fallout from the breach. In the time following the Anthem breach at least one class action lawsuit has been brought to trial against the insurance provider regarding the incident. The breach cost the company more than an estimated $100 million and could likely exceed that amount based on the total number of individuals affected and the costs associated with notifying all of the parties involved, according to the Insurance Insider.
Saying the attack came from a malicious foreign state government makes it sound like there wasn’t much Anthem could do. What private company could be expected to prepare for what is arguably an act of war?
It has almost become an acceptable excuse to blame a state actor whenever a company is breached, said Michael Lipinski, chief information security officer and chief security strategist for cybersecurity firm Securonix.
Blaming a nation state is a release of responsibility — “‘It was a state actor, nothing we could do about it’ excuse,” he told The Outline. “I don’t subscribe to that but, it sure appears that we are becoming numb to the repeated use of that actor.”
People have started to conflate state-sponsored hacking with attacks coming from inside that country, Lieberman Software President Philip Lieberman said. In other words, just because some hackers are Russian doesn’t mean they’re being employed by the Russian government.
He was skeptical that the examination could properly attribute the Anthem attack to a nation state. Even if it was a state actor, it could be China making it look like Russia or Russia making it look like China. In order to properly attribute the attack to a nation state, “it would require cooperation between countries and information sharing that does not exist today,” he said.
Blaming a nation state is a release of responsibility
The report looked at Anthem’s state of cybersecurity preparedness prior to the breach, its response to the breach, and the adequacy of measures taken to mitigate harm. It also attempted to identify the threat actor behind the breach, which CrowdStrike said it determined with high confidence but did not name. CrowdStrike declined to comment for this article.
Leo Taddeo, former FBI special agent in charge of internet crime, and now chief security officer at cybersecurity firm Cryptzone, didn’t comment specifically on the report but told The Outline he believes earlier reports that the attack was most likely carried out by the same Chinese cyber espionage group that hacked the Office of Personnel Management (OPM) in 2015, making off with more than 21 million records and also compromised personally identifiable information, including fingerprint records.
In June 2015, confidential sources told Reuters that a rare rare tool, dubbed Sakula, was used by the hackers in both the OPM and Anthem breaches. Sakula is a remote access trojan (RAT) which allows an attacker to seize control of someone else’s device over an internet connection.
In addition, the hackers in both situations used malware signed by certificates stolen from DTOPTOOLZ Co, a Korean software company, although the firm maintained it had no part in either breaches. Attackers in both cases used phony websites to resembling the original sites in order to phish information for example, the hackers responsible for the OPM breach registered OPMLearning.org to trick employees into turning over their names and passwords.
But why would a nation state want to target an insurance company?
“While the database alone might not be of value to them, it can be combined with other stolen data to create profiles to track dissidents who might speak out against the regime,” Taddeo said. The information could also provide information on their families, occupations and anything else that could be leveraged in their favor.
He said the attacks were carried out by the Chinese government hackers in order to collect information to help identify Chinese dissidents in the U.S., as well as to track people who may frequently visit China.
Taddeo said that while average cyber criminals may target private sector organizations such as Anthem for information to use for monetary gain, the information stolen in the Anthem breaches could be used to blackmail people in positions of power and to carry out spearphishing attacks to gain more valuable information.
The attack appeared to follow a pattern of thefts of medical data by foreigners seeking a pathway into the personal lives and computers of defense contractors, government workers and others, one U.S. government official told Bloomberg. Some officials said the breach was reportedly carried out in order to learn about the US medical care works to assist the nation with their 2020 plan to carry out universal healthcare.
Implicating another nation state may make Anthem’s customers slightly more forgiving, but it may not make the company any less liable.
“In our experience, the nature of the attacker alone does not provide a legal shield of liability,” Lieberman told The Outline. “The victim must demonstrate competence in securing their environment and the use of proactive steps to limit losses – for example, changing passwords, disabling unused accounts, limited use of administrator accounts like domain administrator, doing vulnerability scans, patching systems, etc.”
In other words, Anthem just has to prove it did everything it should have been doing to protect customers.
However, CrowdStrike itself admits that we don’t really know if Anthem was attacked by hackers employed by a foreign government. There is reason to believe that this attack may not have been a state hacker, but just a gold-digging regular criminal.
Large data breaches are becoming more and more common and can have serious consequences, especially if they are carried out by a foreign hacker with unclear motives. But pointing fingers at Russia, China, or even North Korea does not absolve companies of the responsibility to protect their consumers' data.
