US Government Hackers Linked To Anthem Breach

The hackers who stole millions of records from sensitive US government personnel systems may also have been behind a data breach at US health insurer Anthem disclosed earlier this year, as well as other, similar incidents, according to security researchers.

The group in question, called “Deep Panda” by IT security firm CrowdStrike, is distinct from the Chinese military hacking groups that have been accused of other US data attacks, and while little is known about it, it appears to be affiliated with China’s Ministry of State Security, which focuses on internal government stability, counter-intelligence and monitoring dissidents, researchers said.

Researchers including CrowdStrike, EMC’s RSA Security, ThreatConnect and others said they believed the Deep Panda group was behind both the OPM and Anthem hacks. CrowdStrike said Deep Panda’s tools and techniques were also used to monitor Hong Kong protesters, and IT security firm FusionX said a breach at United Airlines was possibly also carried out by the same hackers.

The group’s exact affiliation with the Chinese government is not known, and it may be a private contractor, researchers said.

US government agencies declined to comment on the matter as the investigation is ongoing.

“The threat that we face is ever-evolving,” said Josh Earnest, the White House press secretary, at a press briefing earlier this month. “We understand that there is this persistent risk out there. We take this very seriously.”

The US has not formally accused China of carrying out the attack, and the Chinese government has denied that it was involved.

“Chinese law prohibits hacking attacks and other such behaviours which damage Internet security,” said China’s Foreign Ministry in a statement. “The Chinese government takes resolute strong measures against any kind of hacking attack. We oppose baseless insinuations against China.”

Sensitive records

US government officials last week disclosed that the breach affected two separate systems, the Electronic Official Personnel Folder (eOPF) system, hosted for the Office of Personnel Management (OPM) at the Department of the Interior’s shared services data centre, and the central database behind EPIC, a software suite used by OPM’s Federal Investigative Service to collect data for government employee and contractor background investigations.

Researchers said the most recent hack, which is believed to have exposed the records of about four million employees, allowed the attackers to access personal details that could be used to blackmail individuals or to recruit them for counter-espionage purposes.

Such a target would, they said, be consistent with the counter-espionage mission of China’s Ministry of State Security, as would the hack of Anthem, which provides health insurance to 1.3 million federal employees.

Forensic links

A rare hacking tool used in the OPM breach, called Sakula, was also used in the Anthem hack, according to unnamed people familiar with the investigation cited by Reuters. The same sources said both the Anthem and OPM hacks used malicious software that was electronically signed as safe with a certificate stolen from a Korean software company called DTOPTOOLZ.

US investigators believe the hackers used a malicious website with the address OPM-Learning.org to try to capture employee login details; Anthem, formerly called Wellpoint, was targeted in a similar way using malicious sites such as We11point.com, according to Reuters’ sources, who said the same group was also behind other breaches at insurance companies.

Are you a security pro? Try our quiz!