Exclusive: Mandiant speaks on Anthem attack, custom backdoors used
Mandiant was brought on site Tuesday, after Anthem started their own internal investigation.
Published 4:25 p.m. ET - Mandiant, the incident response firm tapped by Anthem Inc. in the wake of its massive breach, says that the “sophisticated” cyber attack against the health care company involved the use of custom backdoors, one indication that an “advanced attack” did indeed take place against the company.
According to Dave Damato, managing director of Mandiant, the security firm was brought on site Tuesday to assess the incident. Immediately, the firm noticed two things, Damato said – that Anthem has detected the attack itself – as opposed to being alerted by a third party, like law enforcement or another security firm – and that Anthem had quickly begun responding to the incident.
“Normally, we have no leads, but [Anthem] had their own internal incident response team,” Damato told SCMagazine.com in a Thursday interview. While organizations “typically wait some time before reporting [breaches],” Anthem “decided to come forward much sooner,” he noted.
In a website set up specifically for the data breach, Anthem's CEO Joseph Swedish claimed that the health insurer was the “target of a very sophisticated external cyber attack.” And on Thursday, Mandiant offered some clarity of what may have driven the company to make the assessment.
“I can confirm that,” Mandiant's Damato said. “[Attackers] were using different custom backdoors that are not publicly available. That is one indication that it is an advanced attack.”
Damato added that the backdoors were a variant of malware the company had “seen before,” but couldn't reveal, as the investigation is still ongoing.
In a alert issued Thursday morning by HITRUST (the Health Information Trust Alliance), which collaborates with healthcare, technology, and information security leaders, the organization said that Anthem had been working with its Cyber Threat Intelligence and Incident Coordination Center (C3) “since initial discovery of suspicious activity on its network,” which included sharing email addresses of believed threat actors, and other indicators of compromise, like MD5 hashes and IP addresses linked to the attacks.
On Thursday, the Los Angeles Times reported that “suspicious activity was first noticed and reported Jan. 27,” by Anthem, and that “unauthorized access to the vast database goes back to Dec. 10.” The insurer said that the database contained records belonging to, at most, 80 million people, the outlet added.
Anthem's CEO Swedish announced Wednesday night that the breach allowed attackers to obtain the names, birth dates, medical IDs, Social Security numbers and other personal information of current and former Anthem members. In Thursday email correspondence with SCMagazine.com, an Anthem spokeswoman clarified that “personal information relating to consumers and Anthem employees who are currently covered, or who have received coverage in the past,” were impacted.
Early reports by the Los Angeles Times and Wired suggest that at least some of the hacked data was unencrypted, but Anthem has not responded to repeated inquiries from SCMagazine.com to confirm measures it may have taken to protect its data prior to the breach.
Regarding Anthem's claim that it “made every effort to close the security vulnerability,” that preceded the breach, Damato said that Mandiant has seen no indication that attackers are still operating in Anthem's IT environment.
“They've been able to reset some passwords and they performed a series of actions to remove the attacker from the environment,” Damato said of Anthem's efforts. “Any passwords that were affected by the breach were reset, [and they began] blocking traffic associated with the attacker and removing any compromised systems. Immediately after they noticed the incident they performed those actions,” he told SCMagazine.com.
Anthem is currently cooperating with the FBI, which is also investigating the breach.