Report: Chinese Government Stealing US Health Data

A Virginia-based IT security company, ThreatConnect, announced on February 27 that scientists on the Chinese government’s payroll may have been behind the Anthem hack.

When the hack was initially reported in the news, Anthem noted that it had hired an outside security firm to study the details of the attack. Presumably ThreatConnect is that organization.

Anthem is not off the hook. On the contrary, the manner in which data was being stored – completely unencrypted – is grossly negligent when handling vast stores of highly sensitive personal information. But that’s another story.

Malware Has Been Used Before

The behavior of the applications hackers used to break into the insurer’s system and collect confidential records was strongly similar to malware unleashed on an American military-industrial firm. The FBI determined that the technology used in the previous incident was based in China.

“The malware is so unique – the digital signature is so precise – in these two incidents that we strongly feel the same Chinese actors were involved,” ThreatConnect CIO Rich Barger told the Washington Post.

Hedging his perspective, Barger noted that it’s still somewhat unclear who stole the Anthem files, but the malware similarities are impossible to ignore.

The announcement from ThreatConnect is more than a publicity stunt. It serves as a private-sector precursor to the result of an FBI investigation into the breach, in which intruders spirited away with the personal identities (including Social Security numbers in some cases) of 80 million people. The victims are diverse and represent all user accounts in the system going back to 2004 – Anthem customers, workers, and even non-customers (perhaps people who had requested information, although details on the non-customers were sparse).

It helps that ThreatConnect found that China was the source of the attack since the FBI is expected to arrive at a similar conclusion. People are understandably wary of government reports, but it’s possible the security community was a little too dismissive when the FBI implicated North Korea in the slash-and-burn devastation of Sony Pictures – after all, apparently some of the code was even written in Korean.

“We’re very close already but we’re not going to say it until we’re absolutely sure,” explained Robert Anderson, Jr., the second-in-command official at the FBI’s Criminal, Cyber, Response, and Services Branch (see CCRSB), a division built with counterterrorism funding that handles all computer-based crime for the Bureau. Anderson also mentioned that it’s possible the results of the investigation will be designated as classified. Findings will not be released if doing so will jeopardize other investigations.

The 2014 attack on the defense company, Virginia-based VAE, was a failure, per security expert Brian Krebs. The attackers didn’t even reasonably cover their tracks.

Hack-a-Thon Targets Other Side of Earth

The same server that targeted VAE was used in a hacking contest organized by a defense firm and college tech lab, both of which are connected to the Chinese intelligence community.

The IT intrusion competition, Topsec Cup, was held at China’s Southeast University and organized in part by Beijing Topsec Network Security Technology, a company that drew 50% of its seed money from the Chinese People’s Liberation Army, a military force that does more than co-opt super-groovy John Philip Sousa marches.

The site for the hacking competition,, used the same IP address as the server used to assault VAE, according to Barger, who posited that probably the researchers did not know that the malware code accidentally contained the IP.

The hacking event took place in May 2014, the same month that VAE was struck.

Winners of the contest became eligible for internships with Beijing Topsec, which works closely with the Ministry of State Security. “They’re clearly one of the contractors of choice for both the MSS and the PLA,” explained James Mulvenon of Defense Group, which provided industry-insider support to ThreatConnect.

The academic lab is partially funded by Beijing Topsec, which is contracted by the Chinese government to study computer security. The professor who created the contest, Song Yubo, has an individual contract with the government as well.

ThreatConnect additionally believes that infiltrations of VAE and the Office of Personal Management (OPM) were waged by the same group: both times, the attackers built external sites that mimicked the behavior of each organization’s intranet site.

Over the last year, Chinese cyber-spies have shifted their attention from strategic corporate files to huge pools of sensitive user information.

Beyond the VAE attack, China is believed to be behind the following 2014 breaches:

  • Tennessee’s Community Health Systems notified the Department of Health and Human Services that it had suffered a major breach. The command server was identified as Chinese. More than 4 million patient records were taken.
  • China invaded the OPM system containing information on millions of individuals with national security privileges.
  • Chinese actors are believed to have stolen the user database from the US Postal Service.
  • They are suspected of targeting USIS, which vets potential hires for the Department of Homeland Security.

What To Do

What can China do with the hacked data? Some experts believe that they will use it for spearphishing, sending carefully customized emails to specific parties to get them to follow links laced with malware. “They could also be used to understand how large datasets are structured, to enable the manipulation of databases, or to deceive, by creating records that look like existing records,” the Post coverage explains.

What can you do to protect yourself? Work with a company that cares about security and cares about proving its credibility through universally accepted professional standards. Get SSAE 16 compliant hosting today!

By Kent Roberts

Free Use Image via Wikipedia