The California Department of Insurance on Friday revealed that an investigation into the data breach of health insurance giant Anthem Inc. has concluded that a foreign country was behind the attack.
The massive data breach was first discovered by Anthem on January 27, 2015, and was publicly announced the following month. The incident impacted 78.8 million consumer records, including records of at least 12 million minors, the company revealed.
Several months later, security firm Symantec published a report saying that Anthem was breached by a threat group known as Black Vine, which has been active since at least 2012. The actor was said to have ties to the Chinese People's Liberation Army (PLA) and to have worked with Chinese firm Topsec, as well as to have targeted aerospace, healthcare, energy, military and defense, finance, agriculture, and technology industries in the US, China, Canada, Italy, Denmark, and India.
In its announcement last week, the California Department of Insurance revealed that the insurance commissioners' examination team, which was composed of the cybersecurity firm CrowdStrike and Alvarez & Marsal Insurance and Risk Advisory Services, had determined the identity of the attacker and its ties with a foreign country.
“The team determined with a high degree of confidence the identity of the attacker and concluded with a medium degree of confidence that the attacker was acting on behalf of a foreign government. Notably, the exam team also advised that previous attacks associated with this foreign government have not resulted in personal information being transferred to non-state actors,” the California Department of Insurance said.
This is the second investigation into a data breach to blame a state-sponsored actor for an incident over the past two weeks. On December 29, a Joint Analysis Report (JAR) released by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) attributed last year’s attacks against the Democratic National Committee (DNC) and U.S. presidential election to Russian civilian and military intelligence Services (RIS).
The JAR claimed that two threat groups known as Fancy Bear (aka Pawn Storm), and Cozy Bear (aka CozyDuke) were involved in the attacks, and referred to their malicious cyber activity as GRIZZLY STEPPE. The report was accompanied by several retaliatory actions U.S. President Barack Obama announced against Moscow, such as imposed sanctions on two intelligence agencies, the expelling of 35 diplomats and denied access to two Russian compounds inside the United States.
Since the report was published, however, security experts have voiced criticism, saying the report failed to achieve its purpose. The JAR was supposed to provide evidence that those groups were behind the attacks, to validate findings of private security companies, and deliver information that would help organizations improve their stance against such attacks.
The California Department of Insurance’s announcement falls short of offering similar facts regarding the Anthem breach, most likley because that information was included in a classified report. However, some security experts suggest that the announcement doesn’t provide accurate information on Anthem’s security preparedness at the point of compromise either.
“It’s becoming almost acceptable to blame a state actor for these breaches. First, it’s very hard to verify that involvement. It’s easy to buy access to servers in many countries using bitcoin and even find the malware used in many cases on the dark web. Without having access to the remote system it’s always going to be more of a guess,” Michael Lipinski, CISO and chief security strategist for Securonix, told SecurityWeek in an emailed statement.
“That said, I still submit to the masses that it should not matter. It’s becoming an excuse to blame state actors on these breaches, almost removing blame for the victim. We need to do a better job defending against all types of attacks rather than accepting that if a state actor hacks you, it’s ok,” Lipinski continued.
According to the California Department of Insurance, the investigation team found that “Anthem had taken reasonable measures prior to the data breach to protect its data,” and that the health insurer also “employed a remediation plan resulting in a rapid and effective response to the breach once it was discovered.”
Weeks after the data breach became public knowledge, reports emerged that Anthem declined a security audit from the Office of Personnel Management's Office of Inspector General (OPM OIG). Some experts suggested that the company had good reason to decline, while others suggested that it might simply not want to go through an audit that would reveal security issues it is already aware of.
“I would disagree with the security team finding that ‘they employed a remediation plan resulting in a rapid and effective response.’ You don’t lose 78 million records in hours, it takes time; so the remediation of the initial breach was not necessarily timely. Sure, within weeks of finding the loss of data they brought in consulting teams to help, but I would be more concerned with the time it took them to notice that 78 million records were leaving their environment,” Lipinski said.
The investigation determined that the Anthem’s network was compromised on February 18, 2014, through a phishing attack. A user within one of Anthem's subsidiaries opened the email, and the malicious files downloaded to the machine allowed hackers to gain remote access to that computer. The attackers also gained remote access to “at least 90 other systems within the Anthem enterprise, including Anthem's data warehouse.”
The examination team didn’t merely note Anthem's exploitable vulnerabilities, but also helped the company come up with a plan to address them, and helped testing the strengthened security after implementation. “As a result, the team found Anthem's improvements to its cybersecurity protocols and planned improvements were reasonable,” the announcement reads.
Following the data breach, Anthem decided to improve its information security systems, while also agreeing to provide credit protection to all consumers whose information was compromised. The cost of these security improvements and remedial actions would rise to over $260 million dollars.
“What can be done? Prudent use of technology to enhance the people and process aspect of the ‘detect and respond’ portion of an information security program needs to become a focus for all organizations. I would also like to see far more partnering between private and government sectors. I think the government could drive more information sharing efforts,” Lipinski said.
Around 707 million data records worldwide were compromised in a total of 1,673 data breaches throughout 2015. Impacting nearly 80 million records, the Anthem breach was the largest of them, followed by the incident involving Turkey’s General Directorate of Population and Citizenship Affairs, which exposed 50 million records. They scored 10 and 9.9 on Gemalto’s risk assessment scale, respectively.