Premera, Anthem data breaches linked by similar hacking tactics

Security analysts last year saw a fake domain spoofing Premera's name

Premera Blue Cross may have been attacked using the same methods employed against its fellow health insurer Anthem, suggesting that a single group may be behind both breaches.

Customer data, including bank account and clinical data going back to 2002, may have been compromised in the attack, affecting 11 million people, Premera said Tuesday.

It is the largest breach to affect the healthcare industry since Anthem disclosed last month that upwards of 78.4 million records were at risk after hackers accessed one of its databases.

Several computer security companies have published data that points to a China-based group known as Deep Panda as a possible source for Anthem's breach.

But what is known is that the Anthem attackers created a bogus domain name, "we11point.com," (based on WellPoint, the former name of Anthem) that may have been used in phishing-related attacks. Companies try to detect such confusing domain names -- a practice known as typosquatting -- but are not always successful.

One of Deep Panda's attack methods is to create fake websites that imitate corporate services for companies. In Anthem's case, the attackers set up several subdomains based on "we11point.com," which were designed to mimic real services such as human resources, a VPN and a Citrix server.

By targeting Anthem employees with phishing emails and luring them to the fake sites, it may have been possible for the attackers to collect the logins and passwords and eventually access the insurer's real systems.

ThreatConnect, an Arlington, Virginia-based security company, found that Premera appears to have been targeted by the same style of attack.

On Feb. 27, ThreatConnect wrote a blog post describing its research into the Anthem attacks. In the course of that work, ThreatConnect found a suspicious domain name -- "prennera.com."

On Dec. 11, 2013, that domain name resolved to the same IP address as a malware sample seen by ThreatConnect. Even more interesting is that the malware sample was digitally signed with a certificate from DTOPTOOLZ Co., which appears to be a Korean company that at one time made advertising software.

A digital certificate is used to verify that a software program comes from the developer it purports to come from. But the certificates are occasionally stolen. They're especially useful for hackers, as one can make a malware program appear at least on first sight as legitimate.

In September 2014, the computer security firm CrowdStrike found a remote access tool called Derusbi that was often used by Deep Panda. The sample was also signed with a DTOPTOOLZ Co. digital certificate.

In another example, ThreatConnect found a spoofed domain last year that appeared to mimic defense contractor VAE, based in Reston, Virginia. Two malware programs -- Derusbi and another type of one called Sakula -- were linked to the spoofed VAE domain and signed once again with the DTOPTOOLZ Co. certificate.

It could be that the Korean company did not do enough to prevent its digital certificates from being stolen, and that it was pilfered by multiple hacking groups who have then used it in multiple, unrelated attacks. If not, it would be a strong indication that a single group is involved.

Anthem and law enforcement have yet to say who they believe may be responsible, and the Premera investigation is in its early stages. If an attacker is named, it could put further pressure on the U.S. government, which has shown less and less tolerance for what are classified as state-sponsored attacks.

In December, the U.S. government blamed North Korea for the devastating data breach against Sony Pictures Entertainment, one of the first times the government has so quickly and so directly attributed a single attack. The documents released included salary details, internal email and HR documents for employees. Other malicious code destroyed the hard drives of Sony computers.

In May 2014, U.S. federal prosecutors charged five members of the Chinese Army with stealing trade secrets from U.S. organizations over eight years in the first legal action of its kind. China, as is customary, denied the accusations.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Exploits / vulnerabilitiesAnthemPremera Blue Cross

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?