Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Anthem Hackers Targeted Multiple Industries Since 2012: Symantec

Black Vine Espionage Group Attacked Aerospace, Energy, Healthcare Industries

Symantec has been monitoring the activities of the cyber espionage group that breached health insurance giant Anthem last year. Researchers say Anthem is just one of the threat actor’s many high profile targets.

Black Vine Espionage Group Attacked Aerospace, Energy, Healthcare Industries

Symantec has been monitoring the activities of the cyber espionage group that breached health insurance giant Anthem last year. Researchers say Anthem is just one of the threat actor’s many high profile targets.

The personal details of 80 million individuals were compromised in the Anthem breach that came to light in February. Following the incident, researchers determined that the attackers were linked to Topsec, a Beijing-based IT security company with ties to the Chinese People’s Liberation Army (PLA).

According to Symantec, the cyber espionage group behind the Anthem hack, which the company calls “Black Vine,” has been active since 2012. The group has relied on custom-built malware, zero-day exploits, and watering hole attacks to target organizations in the aerospace, healthcare, energy, military and defense, finance, agriculture, and technology industries.

While a majority of the group’s victims were spotted in the United States (82 percent), some infections were also detected in China, Canada, Italy, Denmark, and India.

One of the Black Vine attacks aimed at the energy sector involved gas turbine manufacturer Capstone Turbine. The company fell victim in late December 2012 to a watering hole attack that leveraged an Internet Explorer zero-day vulnerability (CVE-2012-4792) to deliver malware to the visitors of Capstone’s website.

In mid-2013, the threat group targeted a European aerospace company. The attackers compromised the organization’s website and used a different Internet Explorer zero-day (CVE-2014-0322) to distribute malware to visitors.

Symantec researchers found that many of the zero-day exploits used by Black Vine had been leveraged at around the same time by other threat groups. Experts determined that the zero-days were obtained from the Elderwood platform, a framework that provided multiple China-based threat groups the exploits they needed to carry out their activities.

As far as malware is concerned, Black Vine has used three custom-developed threats to gain remote access to targeted machines: Hurix, Sakurel, and Mivast. These pieces of malware, apparently created by the same author, provide the attackers a backdoor to infected systems, allow them to execute files and commands, and collect information on the targeted device.

“Our analysis suggests that Black Vine is well resourced, as the group is capable of frequently updating and modifying its malware to avoid detection,” Symantec researchers said in a blog post.

As for attribution, Symantec has also found a link between the threat group and the Chinese firm Topsec.

“Certain Black Vine infrastructure seems to be associated with the Beijing-based security organization Topsec. The relationship with Black Vine and Topsec provides evidence of the past or present geography of at least some actors involved in this group’s activity,” Symantec noted in a report on Black Vine’s activities.

The security firm believes Black Vine’s malicious operations will continue.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...