Categories: Security

US Government Hackers Linked To Anthem Breach

The hackers who stole millions of records from sensitive US government personnel systems may also have been behind a data breach at US health insurer Anthem disclosed earlier this year, as well as other, similar incidents, according to security researchers.

The group in question, called “Deep Panda” by IT security firm CrowdStrike, is distinct from the Chinese military hacking groups that have been accused of other US data attacks, and while little is known about it, it appears to be affiliated with China’s Ministry of State Security, which focuses on internal government stability, counter-intelligence and monitoring dissidents, researchers said.

Researchers including CrowdStrike, EMC’s RSA Security, ThreatConnect and others said they believed the Deep Panda group was behind both the OPM and Anthem hacks. CrowdStrike said Deep Panda’s tools and techniques were also used to monitor Hong Kong protesters, and IT security firm FusionX said a breach at United Airlines was possibly also carried out by the same hackers.

The group’s exact affiliation with the Chinese government is not known, and it may be a private contractor, researchers said.

US government agencies declined to comment on the matter as the investigation is ongoing.

“The threat that we face is ever-evolving,” said Josh Earnest, the White House press secretary, at a press briefing earlier this month. “We understand that there is this persistent risk out there. We take this very seriously.”

The US has not formally accused China of carrying out the attack, and the Chinese government has denied that it was involved.

“Chinese law prohibits hacking attacks and other such behaviours which damage Internet security,” said China’s Foreign Ministry in a statement. “The Chinese government takes resolute strong measures against any kind of hacking attack. We oppose baseless insinuations against China.”

Sensitive records

US government officials last week disclosed that the breach affected two separate systems, the Electronic Official Personnel Folder (eOPF) system, hosted for the Office of Personnel Management (OPM) at the Department of the Interior’s shared services data centre, and the central database behind EPIC, a software suite used by OPM’s Federal Investigative Service to collect data for government employee and contractor background investigations.

Researchers said the most recent hack, which is believed to have exposed the records of about four million employees, allowed the attackers to access personal details that could be used to blackmail individuals or to recruit them for counter-espionage purposes.

Such a target would, they said, be consistent with the counter-espionage mission of China’s Ministry of State Security, as would the hack of Anthem, which provides health insurance to 1.3 million federal employees.

Forensic links

A rare hacking tool used in the OPM breach, called Sakula, was also used in the Anthem hack, according to unnamed people familiar with the investigation cited by Reuters. The same sources said both the Anthem and OPM hacks used malicious software that was electronically signed as safe with a certificate stolen from a Korean software company called DTOPTOOLZ.

US investigators believe the hackers used a malicious website with the address OPM-Learning.org to try to capture employee login details; Anthem, formerly called Wellpoint, was targeted in a similar way using malicious sites such as We11point.com, according to Reuters’ sources, who said the same group was also behind other breaches at insurance companies.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago