Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

U.S. Charges Chinese Hackers Over Massive 2015 Anthem Breach

The U.S. Justice Department on Thursday announced charges against members of an “extremely sophisticated hacking group operating in China” in connection with the massive 2015 data breach that impacted health insurer Anthem.

The U.S. Justice Department on Thursday announced charges against members of an “extremely sophisticated hacking group operating in China” in connection with the massive 2015 data breach that impacted health insurer Anthem.

A four-count indictment, unsealed on Thursday, alleges that 32-year-old Fujie Wang and other unknown members of the hacking group broke into computer systems of Anthem and three other unnamed U.S. businesses.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their PII.”

While the indictment does not allege any connections to the Chinese Government, Symantec published a report in July 2015 claiming that Anthem was breached by a threat group known as Black Vine, which had been active since at least 2012. The threat actor was said to have ties to the Chinese People’s Liberation Army (PLA) and to have worked with Chinese firm Topsec, as well as to have targeted aerospace, healthcare, energy, military and defense, finance, agriculture, and technology industries in the US, China, Canada, Italy, Denmark, and India.

In January 2017, the California Department of Insurance revealed that an investigation into the data breach of Anthem concluded that a foreign country was behind the attack.

According to the indictment, the defendants used spearfishing emails containing hyperlinks linking to code that installed a backdoor that provided them with remote access to the systems.

“The defendants sometimes patiently waited months before taking further action, eventually engaging in reconnaissance by searching the network for data of interest, according to the indictment,” the Justice Department said. 

“The indictment further alleges that once the data of interest had been identified and located, the defendants then collected the relevant files and other information from the compromised computers using software tools. The defendants then allegedly stole the data of interest by placing it into encrypted archive files and then sending it through multiple computers to destinations in China.”  

Weeks after the data breach became public knowledge, reports emerged that Anthem declined a security audit from the Office of Personnel Management’s Office of Inspector General (OPM OIG). Some experts suggested that the company had good reason to decline, while others suggested that it might simply not want to go through an audit that would reveal security issues it is already aware of.

In October 2018, Anthem agreed to pay the U.S. government $16 million to settle potential privacy violations related to the breach.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.