Anthem Hackers Targeted Multiple Industries Since 2012: Symantec

Black Vine Espionage Group Attacked Aerospace, Energy, Healthcare Industries

Symantec has been monitoring the activities of the cyber espionage group that breached health insurance giant Anthem last year. Researchers say Anthem is just one of the threat actor’s many high profile targets.

The personal details of 80 million individuals were compromised in the Anthem breach that came to light in February. Following the incident, researchers determined that the attackers were linked to Topsec, a Beijing-based IT security company with ties to the Chinese People’s Liberation Army (PLA).

According to Symantec, the cyber espionage group behind the Anthem hack, which the company calls “Black Vine,” has been active since 2012. The group has relied on custom-built malware, zero-day exploits, and watering hole attacks to target organizations in the aerospace, healthcare, energy, military and defense, finance, agriculture, and technology industries.

While a majority of the group’s victims were spotted in the United States (82 percent), some infections were also detected in China, Canada, Italy, Denmark, and India.

One of the Black Vine attacks aimed at the energy sector involved gas turbine manufacturer Capstone Turbine. The company fell victim in late December 2012 to a watering hole attack that leveraged an Internet Explorer zero-day vulnerability (CVE-2012-4792) to deliver malware to the visitors of Capstone’s website.

In mid-2013, the threat group targeted a European aerospace company. The attackers compromised the organization’s website and used a different Internet Explorer zero-day (CVE-2014-0322) to distribute malware to visitors.

Symantec researchers found that many of the zero-day exploits used by Black Vine had been leveraged at around the same time by other threat groups. Experts determined that the zero-days were obtained from the Elderwood platform, a framework that provided multiple China-based threat groups the exploits they needed to carry out their activities.

As far as malware is concerned, Black Vine has used three custom-developed threats to gain remote access to targeted machines: Hurix, Sakurel, and Mivast. These pieces of malware, apparently created by the same author, provide the attackers a backdoor to infected systems, allow them to execute files and commands, and collect information on the targeted device.

“Our analysis suggests that Black Vine is well resourced, as the group is capable of frequently updating and modifying its malware to avoid detection,” Symantec researchers said in a blog post.

As for attribution, Symantec has also found a link between the threat group and the Chinese firm Topsec.

“Certain Black Vine infrastructure seems to be associated with the Beijing-based security organization Topsec. The relationship with Black Vine and Topsec provides evidence of the past or present geography of at least some actors involved in this group’s activity,” Symantec noted in a report on Black Vine’s activities.

The security firm believes Black Vine’s malicious operations will continue.