The U.S. Department of Justice has announced that two Chinese nationals have been charged over the 2015 hacking of Anthem Inc., and three other cyberattacks on U.S. businesses.
In February 2015, Anthem Inc., discovered its systems had been infiltrated. Further investigation revealed the records of 78.8 million plan members had been stolen in what was, and still is, the largest healthcare data breach ever to be discovered.
On Thursday, May 9, 2019, the Department of Justice announced that Chinese national Fujie Wang, 32, and another unnamed Chinese national had been charged in relation to the attack following an FBI investigation.
Both individuals have been charged on four counts: 2 substantive counts of intentional damage to a protected computer, one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, and one count of conspiracy to commit wire fraud.
Both individuals are alleged members of a highly sophisticated Chinese hacking group that conducted a spate of cyberattacks on U.S. businesses between 2014 and 2015. The most serious attack occurred at Anthem Inc – one of the largest health insurers in the United States.
The Anthem cyberattack and attacks on the other three businesses started with spear phishing emails. Employees were targeted and sent emails containing a hyperlink which, when clicked, directed them to a web page and triggered the downloading of malicious files. When those files were executed, a malware downloader installed a backdoor that allowed access to the computer and network. In some of the attacks, the attackers waited several months after gaining access to the network before making their next move.
Via the backdoor, the hackers were able to control compromised computers and proceeded to peruse the network looking for sensitive data. According to the indictment, the hackers purposefully sought access to Anthem’s enterprise data warehouse, which contained the records of tens of millions insurance subscribers. Software tools were used to collect files containing personally identifiable information, and the data was encrypted in archive files ready for exfiltration. The hackers accessed Anthem’s network on multiple occasions between October and November 2014.
On multiple occasions in January 2015, the encrypted data was exfiltrated to several computers in China. After data had been stolen, the archive files were deleted in an attempt to avoid detection.
While evidence has been uncovered to suggest both individuals were members of the hacking group and were involved in the cyberattacks, Wang was alleged to have controlled two domains used in the attacks. One of the domains was used to host malicious files that allowed access to be gained to business networks via spear phishing attacks, and the second domain was used to communicate with the malware.
“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors and violated the privacy of over 78 million people by stealing their PII.”
The FBI praised the speed at which all attacked businesses contacted the FBI and reported the crime. The speed of the response was instrumental in allowing the FBI to identify the hackers responsible.
“Because the victim companies promptly notified the FBI of malicious cyber activity, we were able to successfully investigate and identify the perpetrators of this large-scale, highly sophisticated scheme,” said Assistant Director Matt Gorham. “The FBI is committed to investigating cyber-attacks that compromise American industry and the American people. As we did in this case, we will work side by side with victim companies to ensure justice is served.”