Breach, Threat Intelligence, Data Security, Malware

Researchers investigate link between Axiom spy group, Anthem breach

When news of the Anthem breach first surfaced, investigators claimed that malicious tools, linked exclusively to Chinese cyber attackers, were used against the health insurer. Now, an Arlington, Va.-based security firm has released its own research that expands on these findings.

On Friday, threat intelligence firm ThreatConnect published the details on its blog. The company found that the Anthem incident, which exposed the personal information of 78.8 million consumers, may be connected to the activities of a Chinese cyberespionage group, dubbed “Axiom.”

Also known as “Deep Panda,” the Axiom group has been noted as a state-sponsored group, previously targeting academic institutions in the U.S. as well as Asian and Western government agencies responsible for law enforcement, auditing and internal affairs, and space and aerospace. The years-long exploits of the sophisticated attackers, including their use of a backdoor trojan called Hikit, prompted industry heavyweights, including Microsoft, Symantec, Cisco and FireEye, to launch a coalition last October to fight the threat. Later that month, the firms collaborated to publish a report detailing the tools and tactics used by the Axiom threat group.

In ThreatConnect's new research, the firm revealed that a backdoor, called “HttpDump,” may have been involved in a December 2013 attack against Blue Cross Blue Shield. (BCBS allows plan members in certain areas to receive services from Anthem, which explains new reports that up to 18.8 million individuals impacted by the Anthem breach are non-Anthem Blue Cross Blue Shield members.)

The HttpDump malware was believed to be of Chinese origin and was signed with digital signature from the Korean company DTOPTOOLZ Co., ThreatConnect found. In September and November of 2014, researchers observed APT malware of a separate family “Derusbi,” being signed with the same DTOPTOOLZ signature. The Derusbi variants were traditionally used in Chinese APT espionage campaigns, the blog post explained.

Another finding linking the Anthem incident with Chinese cyber spies was a suspicious domain prennera[.]com, which was set up in December 2013 and appeared to be an attempt for attackers to impersonate healthcare provider Premera Blue Cross, ThreatConnect said, possibly as a means of distributing legitimate-looking phishing emails to targets. The prennera[.]com resolved to a static IP address also linked to Chinese APT malware.

In an article published earlier this month, security journalist Brian Krebs spoke to ThreatConnect, which discussed other spurious domains, including myhr.we11point[dot]com and hrsolutions.we11point[dot]com, that were created in April 2014 to mimic the infrastructure of WellPoint. (Anthem acquired WellPoint Health Networks in 2004, and WellPoint eventually changed its corporate name to Anthem Inc. in December 2014.)

Krebs pointed out that one of the bogus domains was linked to the distribution of a backdoor program, that was also signed with certificate issued by DTOPTOOLZ Co. – a marker left on other Chinese APT tools.

Rich Barger, Chief Intelligence Officer at ThreatConnect, told SCMagazine.com in a Friday interview that the firm's investigations provided “strong indications” that the Axiom threat group is somehow linked to the attack on Anthem.

“There's calling cards across many of these campaigns,” Barger later said.

“The Derusbi malware is a specific backdoor that we and other researchers have seen only within Chinese APT attacks. It's fairly unique to those types of attacks and campaigns, but there is a little bit of confusion around whether this is one group or multiple groups."

Back in October, the coalition of tech and security firms that teamed up to publish a report on Axiom, determined that the malicious activity of the Chinese state-sponsored group appeared to be the work of a “well resourced, disciplined, and sophisticated subgroup of a larger cyberespionage group that has been directing operations unfettered for over six year,” the report said.

Tactics, techniques and procedures (TTPs) used by Axiom were linked to other high-profile attacks, including Operation Deputy Dog which targeted Bit9 and organizations in Japan throughout 2013, and Operation Snowman uncovered in February 2014, which included an attack on a U.S. veterans website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.