Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records

Share this article on:

Two Chinese nationals who were allegedly behind the 2015 hacking of Anthem Inc., have been charged by the U.S. Department of Justice.

32-year-old Fujie Wang and an unnamed man have been charged in a 4-count indictment in relation to the Anthem cyberattack and theft of 78.8 million health insurance records, along with cyberattacks on three other U.S. businesses between 2014 and 2015.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Brian A. Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors and violated the privacy of over 78 million people by stealing their PII.”

The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.

According to the indictment, the international hacking scheme saw Wang and other members of the hacking group conduct highly sophisticated cyberattacks on businesses starting in February 2014. Those attacks continued until at least January 2015.

The attacks started by sending spear phishing emails to employees of the targeted businesses. Those emails contained hyperlinks to a malicious website. When the links were clicked, they triggered the download of a file containing a malware downloader. When the file was executed, a backdoor was installed in the system that gave the hackers access to the business network through a server controlled by the hackers. Wang has been accused of registering two domains that were used for the spear phishing attack and for communicating with the malware.

After gaining access business networks, the hackers moved laterally searching for information of interest, in some cases waiting months before proceeding with the attack. In the case of the attack on Anthem, its systems were accessed on multiple occasions between October and November 2014. The aim was to find sensitive business information and the personally identifiable information of its plan members, according to the indictment.

Once sensitive data had been identified, it was combined into encrypted archive files and was exfiltrated through a variety of computers to destinations in China. The vast quantities of data were exfiltrated from Anthem on multiple occasions in January 2015. After data was exfiltrated, the hackers deleted the archive files in an attempt to avoid detection. The attacks on the other businesses were linked to Wang via the two domains used in the Anthem attack.

The FBI was able to launch an investigation promptly as a result of the attacked companies reporting the breaches to the FBI, and along with their continued cooperation with the investigation, the FBI was able to successfully identify the individuals behind the cyberattacks.

The speed at which Anthem notified the FBI about the attack was a key factor in being able to determine who was responsible for the breach. FBI Special Agent in Charge Grant Mendenhall said “[This] should serve as an example to other organizations that might find themselves in a similar situation.”

Assistant Attorney General Benczkowski said “The Department of Justice and our law enforcement partners are committed to protecting PII, and will aggressively prosecute perpetrators of hacking schemes like this, wherever they occur.”

Author: HIPAA Journal

Share This Post On