On May 9, 2019, the United States Department of Justice announced the indictment of two Chinese Nationals as members of a sophisticated hacking group responsible for the hack of Anthem, Inc. and other unnamed U.S. based large technology, communications and basic materials companies. The hack resulted in the breach of personally identifiable information of over 78 million individuals held by Anthem and the theft of confidential business information from the victimized organizations. The indictment provides a roadmap to advanced hacking attacks regularly faced by technology, healthcare and infrastructure organizations with valuable data to protect. The indictment serves as a reminder that organizations subject to advanced persistent threat from organized hacking groups should adopt a defense in depth strategy including workforce cybersecurity training, vulnerability scanning, network monitoring and comprehensive incident response plans to thwart or mitigate these attacks. These protective countermeasures should be part of the organization’s formalized information security program.
According to DOJ, the hackers are allegedly part of a sophisticated hacking group operating inside China targeting large businesses within the United States. The hackers allegedly picked their targets because they stored large amounts of confidential business information on their computer networks. The hackers used a combination of social engineering (i.e., spear phishing), backdoor malware, privilege escalation, and encrypted file transfers to attack the networks and steal personal and confidential business information.
The indictment highlights the sophisticated hacking techniques used by advanced hacking groups and the importance of adopting appropriate countermeasures as part of a strategy to anticipate, prevent, detect and respond to future similar attacks targeting any organization. Here are the key “take aways”:
- Conduct rigorous workforce cybersecurity training to combat spear phishing and other social engineering attacks. The hackers reportedly sent specifically-tailored spear phishing emails with embedded hyperlinks to employees, which once clicked on, caused a malicious file to be downloaded which deployed malware enabling the hackers to gain remote access and command and control over the user’s computer. The targeting of specific employees using email as the delivery vehicle for malware is frequently the preferred method for delivering malicious files (e.g., the DNC hack). Training employees to recognize threats originating in emails and social media should be part of ongoing workforce training for this very reason. Organizations should regularly train employees, particularly executives and administrators with privileged access, to recognize spear phishing emails and sophisticated social engineering attacks.
- Perform vulnerability scanning and adopt strong access controls and a formalized patching process to deter privilege escalation across the network. The indictment alleges that once the hackers gained access to the network through the spear phishing campaign, the hackers moved laterally to gain increasing ability to make changes in the network, sometimes patiently waiting months before taking further action. To mitigate the risk of privilege escalation, organizations should conduct frequent vulnerability scans to identify weaknesses in their networks and address them in a timely matter. Strong configuration management and formalized patching processes are also a defense to privilege escalation. Similarly, for administrator accounts with access to key domains or systems, adopt strong password requirements and multifactor authentication where appropriate and ensure that credentials are immediately disabled when the administrators leave the organization.
- Secure and monitor the organization’s Domain Name System (DNS) to deter backdoor communications using command and control malware. The indictment alleges that the malware delivered by email enabled remote access to the victims’ computers. The hackers registered phony domains and set up command and control servers on the phony domains for the malware on the victims’ computer to report into. The indictment does not go into further detail as to the communications channel used by the malware, but it is not uncommon to use DNS for malicious command and control communications. Monitoring DNS traffic for known malicious domains is critical. Similarly, hardening an organization’s Domain Name System processes may deter command and control that abuses DNS. My recent prior blog post discusses the importance of DNS security.
- Black list cloud based file sharing services and use systems to inspect and detect anomalous encrypted traffic. The hackers are alleged to have stolen the data by placing it into encrypted files and transmitting the encrypted files to multiple computers located in China. Some of the files were allegedly exfiltrated through use of a Citrix filing sharing service. Malicious encryption will defeat inspection where an organization does not have visibility into the encrypted traffic. As described in the indictment, it is not unusual for hackers, including malicious insiders, to attempt to hide their data exfiltration using encryption. One defense is to inspect encrypted traffic. Another defense is to block access to file sharing cloud based services that may be used to exfiltrate data.
- Play the long game because the hackers will. The indictment alleges that the hackers conducted intrusions across all the victims for nearly one year, from February 2014 to January 2015. According to the indictment, once inside the Anthem network, the hackers patiently searched the network for data of interest, purportedly ultimately stealing data of over 78 million persons, including names, health identification numbers, dates of birth, social security numbers, addresses, telephone numbers, email addresses, employment information and income data. The hackers identified Anthem’s data warehouse within the network, where a large amount of personally identifiable information was stored and then exfiltrated the information when the time was right. The defense here is to develop a cybersecurity strategy, strong internal processes, including workforce training and education, and enforce your information security program.
- Adopt a detailed formalized incident response plan and practice, practice, practice. While the indictment does not discuss the preventative measures of the victims, even a well thought out and comprehensive defense in depth may not prevent a breach. For example, victimizing an employee through social engineering may defeat technical defenses in place. Having a detailed written incident response plan in place and training is critical, and an effective way to mitigate the harmful effects of any breach.