Experts are speculating that attackers exploited a vulnerability in Anthem's IT system, or obtained credentials via social engineering.
Experts are speculating that attackers exploited a vulnerability in Anthem's IT system, or obtained credentials via social engineering.

Mandiant, who is working with Anthem to investigate its massive breach, confirmed to on Wednesday that the attack involved the use of custom backdoors – but how exactly did the cybercrooks pull off one of the largest health care data heists to date?

Joseph Swedish, president and CEO of Anthem, noted in a message posted on Wednesday that Anthem made efforts to “close the security vulnerability” immediately after the attack was identified.

More details are expected to emerge from Anthem on what that vulnerability is, but security experts have begun weighing in on how criminals could have gained unauthorized access to the managed health care company's IT system.

Jasper Graham, former NSA technical director and SVP of Cyber Technologies and Analytics at Darktrace, told in a Thursday email correspondence that attackers could have gained access to the information by either exploiting a bug in Anthem's IT system, or obtaining credentials via social engineering.

“I don't believe this was a smash and grab,” Graham said, speculating on how long the attackers were carrying out the attack. “Based on the amount of data stolen, it took the attackers some time to figure out where they were and what they could have access to.”

In a Thursday email correspondence, Ken Westin, senior security analyst with Tripwire, told that the initial attack vector could have been a successful spear phishing attack that targeted an admin or other individual with high level access to data.

“Another more likely scenario is that this was a SQL injection attack or a direct attack on the database servers,” Westin said.

He took note of two job listings currently listed on Anthem website: one posted on Wednesday for a Cloud Encryption Security Professional, and another posted on Friday for a Checkpoint Firewall Expert.

“This could be indications of where [their] lapses in security may have been and where they are now trying to bolster their defenses,” Westin said.

Part of the problem Anthem might have been facing is that “large organizations cannot visualize and understand their whole attack surface, and inevitably end up leaving some side door unlocked and overlooked,” Mike Lloyd, CTO of RedSeal, told in a Thursday email correspondence.

“Attackers only need to automate the process of twisting doorknobs, on a grand scale, to find a toe-hold, and once in, smart attackers can move laterally to find all kinds of data," Lloyd said. "Defenders have no choice – they have to automate in turn, since only 99 [percent] compliance with a security policy is nowhere near enough.”

According to unconfirmed reports, Anthem first noticed suspicious activity on Jan. 27 and verified two days later that that it had been the victim of an attack dating back to Dec. 10. But what exactly tipped off the company to the breach?

Citing Thomas Miller, chief information officer of Anthem, The Wall Street Journal reported on Thursday that “the first sign of the attack came in the middle of last week, when a systems administrator noticed that a database query was being run using his identifier code although he hadn't initiated it.” The report adds that the information was tracked to an outside web-storage service where the data was frozen, although it is unclear if the data had been moved elsewhere.