Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/5/2015
05:35 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

A Mere 8 Days After Breach, Anthem Healthcare Notifies Customers

Was the data encrypted in storage? Investigators aren't saying, but they hint that it wouldn't matter either way.

In a rare (perhaps unprecedented) move, a large company reported a data breach -- to authorities, the media, and the individuals whose data was stolen -- well before they were legally obligated to do so. Wednesday night, Anthem Healthcare, the nation's second-largest health insurer, began notifying its customers and the media that the personal records of as many as 80 million individuals were compromised -- a mere eight days from when Anthem first detected suspicious activity Jan. 27.

In a statement, Anthem president and CEO Joseph Swedish said, "Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape."

The initial unauthorized access has been tracked back to Dec. 10. The stolen data includes names, employment data, income data, Social Security numbers, street addresses, email addresses, and medical ID numbers. But investigators say there is no evidence to indicate that medical records (claims, test results, diagnostic codes) or credit card data were compromised.

What is clear is that the attack was extremely targeted: aimed at Anthem specifically, not just any healthcare institution. What is not clear is whether or not the stolen data was encrypted.

According to a security alert issued today by HITRUST:

Anthem has been collaborating with the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) since initial discovery of suspicious activity on its network, including sharing of various indicators of compromise (IOCs) consisting of MD5 hashes, IP addresses, and threat actor email addresses.

This crucial observable information was anonymously shared with the HITRUST C3 Community, through the automated threat exchange. It was quickly determined that the IOCs were not found by other organizations across the industry and this attack was targeted at a specific organization.

Upon further investigation and analysis it is believed to be a targeted advanced persistent threat (APT) actor.

Dave Damato, managing director of Mandiant, the organization leading the investigation  into the Anthem breach, confirms "Yes, it was targeted at a specific company." However, the same criminals could carry out similar attacks on other organizations, and just change the indicators of compromise (MD5 hash, IP addresses, domain names, etc.) to make it harder to detect. 

Damato could not share many details about the ongoing investigation, but Adam Meyer, Chief Security Strategist at SurfWatch Labs says, “Anthem discovered the attack when a database administrator noticed unauthorized queries running with admin credentials. Data exfiltration was performed through an external web storage provider 'commonly used by U.S. companies,' which suggests a service such as Google Cloud, Microsoft One Drive, or Dropbox was utilized to reduce chances of detection.”

“Upon discovery," says Meyer, "Anthem reset all passwords with privileged access across their environment and disabled accounts without two-factor authentication. Statements indicating that the company immediately made every effort to close the security vulnerability suggest that a known vulnerability was exploited in the corporate web environment or that a payload was delivered via spear phishing to employees but was easily corrected once identified as the point of entry. Data was exfiltrated to a known cloud storage provider likely utilizing authorized credentials.”   

Damato says that there is no evidence to suggest that an Anthem insider was involved in the breach, so admin credentials were probably stolen by outside attackers.

What remains unclear is whether or not the breached data was encrypted. When asked, Damato's response was itself rather cryptic. What he did say is that the issue with all encryption is that, data has to be decrypted before an authorized user can use the data. So if it could somehow be copied or exfiltrated while it is in use, unencrypted, the fact that it was encrypted while in storage might not matter.

"We are dealing with one of the biggest data breaches in history and probably the biggest data breach in the healthcare industry," says Jaime Blasco, VP and chief scientist of late-stage security startup AlienVault. "If you are wondering what it means for individuals, in a few words: it is a nightmare. If the attackers had access to names, birthdays, addresses and Social Security numbers, it means that information can be easily used to carry out identity theft schemes.

"It is yet unclear who is behind the attack," says Blasco, "but if the group behind that compromised Anthem and plans to sell that information on the black market, it means cybercriminals can buy  access to the stolen data and use that information to drain your bank account, open new credit accounts and telephone accounts or even utility accounts. They can even obtain medical care using your information."

Damato says that his team at Mandiant definitely aims to provide some attribution for the attack, so they can have a better idea of what the attackers will do with the data they've stolen. But, attribution is hard for a variety of reasons. Not only because attackers take pains to obfuscate their identities, but because sometimes an organization has been breached by multiple threat actors, making it "hard to delineate between" them.

"I think the industry as a whole is getting better at attribution," says Damato, "but there's still a lot of noise."

"One thing that's very important and very different," he adds, "is that Anthem reported it before they had to." Damato says it will be very interesting to see what effect that speed has on the investigation and public response.

The responses of customers remains to be seen -- but with the Affordable Care Act's enrollment deadline a mere 10 days away, their opinions may be known quite soon. For their parts, the FBI and the security industry have applauded Anthem for reporting the incident so quickly.

The FBI stated: "Anthem's initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances."

Damato says that the company reported it so quickly simply because they thought it was the right thing to do.

In his statement, Anthem CEO Swedish said "Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
ODA155
50%
50%
ODA155,
User Rank: Ninja
2/6/2015 | 2:50:59 PM
Re: Why does it matter if the data was encrypted?
@L174, WHAT!? Where are you getting your information?

The operating system only determines encryption levels (Protocols) if you let it, such as in a Windows Server where encryption can be controlled with a simple registry edit. I'd have to believe that these companies are not allowing this to happen and instead are using add on applications like OpenSSL or some other enterprise level data encryption software. Furthermore, if the data is encrypted you cannot access it without the proper keys for access, unless you have a few super-duper computers and more than a few years to hopefully stumble onto the correct key parings.

Although there may be places in the infrastructure where data may not be fully encrypted such as at the point where the application feeds a DB, but even that is very rare. Even rarer (I hope) would be an unencrypted DB holding sensitive data, hell, or ANY DATA. Any company that does not encrypt data in transit is stupid and deserves to be hacked.

Sensitive data that travels over a network are required to be securely encrypted from the point of data entry to the point where the data is processed if those companies are to be HIPPA, PCI or GLBA compliant.

Your comment leaves me to believe that you are either:

a)      Trolling

b)      Uninformed

c)       Not responsible for security on any level

or...

d)      Negligent

So you said, "Data Encryption is only helpful if a physical harddrive or machine is stolen, period."... what's the difference between a disc-image or the actual HDD? And a hacker isn't going after a HDD or an image because attempting to obtain either will or should set off alerts, he wants the DB and even that is going to be striped across a RAID. From what I remember about RAID, what you suggest is only "possible" if you remove a drive from a RAID – 0 or RAID – 1, and I don't believe Anthem is "Mom & Pop" enough for that configuration.

anon4914728044
100%
0%
anon4914728044,
User Rank: Apprentice
2/6/2015 | 2:18:09 PM
Re: Why does it matter if the data was encrypted?
I hate to be blunt, but your post belies a significant level of ignorance about major-business information security architecture and infrastructure.

 

Anthem almost certainly does not store production databases on "encrypted disks".

Also, the fact that a "database administrator noticed unauthorized queries" strongly suggests that if the data was encrypted, it's still encrypted and is (to the limits of the encryption strenght) just fine now.

 

When you understand enough to know why these statements are true, you'll understand why the rest of your post is largely incorrect as well.
L174
33%
67%
L174,
User Rank: Apprentice
2/6/2015 | 12:00:44 PM
Why does it matter if the data was encrypted?
Data Encryption is only helpful if a physical harddrive or machine is stolen, period. (Let that sink in for a minute)

While encryption is beneficial it is only usful in about 3% to 5% of data breach situations. (If you want to do a groundbreaking story you should focus on the fact that encryption offers very little protection in a hacking situation.)

Once a hacker has access to a running machine the data has already been decrypted by the Operating System or the running application and it is fully available to the hacker in the same decrypted format.

I will say it again, encryption is only helpful if a physical machine or harddrive has been stolen. So the big question was not "was the data encrypted' but how did the hackers gain access? By the way, I am willing to bet the data in this case was on an encrypted disk and as expected it did not help.
<<   <   Page 2 / 2
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18954
PUBLISHED: 2019-11-14
Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious at...
CVE-2019-3640
PUBLISHED: 2019-11-14
Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention 11.x prior to 11.4.0 allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
CVE-2019-3661
PUBLISHED: 2019-11-14
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.
CVE-2019-3662
PUBLISHED: 2019-11-14
Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests.
CVE-2019-3663
PUBLISHED: 2019-11-14
Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system.