The U.S. Justice Department on Thursday announced charges against members of an “extremely sophisticated hacking group operating in China” in connection with the massive 2015 data breach that impacted health insurer Anthem.
A four-count indictment, unsealed on Thursday, alleges that 32-year-old Fujie Wang and other unknown members of the hacking group broke into computer systems of Anthem and three other unnamed U.S. businesses.
“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their PII.”
While the indictment does not allege any connections to the Chinese Government, Symantec published a report in July 2015 claiming that Anthem was breached by a threat group known as Black Vine, which had been active since at least 2012. The threat actor was said to have ties to the Chinese People’s Liberation Army (PLA) and to have worked with Chinese firm Topsec, as well as to have targeted aerospace, healthcare, energy, military and defense, finance, agriculture, and technology industries in the US, China, Canada, Italy, Denmark, and India.
In January 2017, the California Department of Insurance revealed that an investigation into the data breach of Anthem concluded that a foreign country was behind the attack.
According to the indictment, the defendants used spearfishing emails containing hyperlinks linking to code that installed a backdoor that provided them with remote access to the systems.
“The defendants sometimes patiently waited months before taking further action, eventually engaging in reconnaissance by searching the network for data of interest, according to the indictment,” the Justice Department said.
“The indictment further alleges that once the data of interest had been identified and located, the defendants then collected the relevant files and other information from the compromised computers using software tools. The defendants then allegedly stole the data of interest by placing it into encrypted archive files and then sending it through multiple computers to destinations in China.”
Weeks after the data breach became public knowledge, reports emerged that Anthem declined a security audit from the Office of Personnel Management’s Office of Inspector General (OPM OIG). Some experts suggested that the company had good reason to decline, while others suggested that it might simply not want to go through an audit that would reveal security issues it is already aware of.
In October 2018, Anthem agreed to pay the U.S. government $16 million to settle potential privacy violations related to the breach.