Anthem breach investigators initially claimed that tools, linked exclusively to Chinese espionage attackers, were used against the health insurer.
Anthem breach investigators initially claimed that tools, linked exclusively to Chinese espionage attackers, were used against the health insurer.

When news of the Anthem breach first surfaced, investigators claimed that malicious tools, linked exclusively to Chinese cyber attackers, were used against the health insurer. Now, an Arlington, Va.-based security firm has released its own research that expands on these findings.

On Friday, threat intelligence firm ThreatConnect published the details on its blog. The company found that the Anthem incident, which exposed the personal information of 78.8 million consumers, may be connected to the activities of a Chinese cyberespionage group, dubbed “Axiom.”

Also known as “Deep Panda,” the Axiom group has been noted as a state-sponsored group, previously targeting academic institutions in the U.S. as well as Asian and Western government agencies responsible for law enforcement, auditing and internal affairs, and space and aerospace. The years-long exploits of the sophisticated attackers, including their use of a backdoor trojan called Hikit, prompted industry heavyweights, including Microsoft, Symantec, Cisco and FireEye, to launch a coalition last October to fight the threat. Later that month, the firms collaborated to publish a report detailing the tools and tactics used by the Axiom threat group.

In ThreatConnect's new research, the firm revealed that a backdoor, called “HttpDump,” may have been involved in a December 2013 attack against Blue Cross Blue Shield. (BCBS allows plan members in certain areas to receive services from Anthem, which explains new reports that up to 18.8 million individuals impacted by the Anthem breach are non-Anthem Blue Cross Blue Shield members.)

The HttpDump malware was believed to be of Chinese origin and was signed with digital signature from the Korean company DTOPTOOLZ Co., ThreatConnect found. In September and November of 2014, researchers observed APT malware of a separate family “Derusbi,” being signed with the same DTOPTOOLZ signature. The Derusbi variants were traditionally used in Chinese APT espionage campaigns, the blog post explained.

Another finding linking the Anthem incident with Chinese cyber spies was a suspicious domain prennera[.]com, which was set up in December 2013 and appeared to be an attempt for attackers to impersonate healthcare provider Premera Blue Cross, ThreatConnect said, possibly as a means of distributing legitimate-looking phishing emails to targets. The prennera[.]com resolved to a static IP address also linked to Chinese APT malware.