The Justice Department unsealed an indictment against two people who hacked into health insurer Anthem and stole the personal records of at least 78.8 million customers between 2014 and 2015. Named in the indictment was 32-year old Wang Fujie (a.k.a. Dennis) and a John Doe.
The DOJ alleges that the pair was part of a sophisticated group of hackers based in China. DOJ officials also added that three other data-rich US companies (still unidentified) were also attacked by the same group.
At the time, the Anthem breach was the largest in history and it cost the company $115 million to settle a class action lawsuit in 2017.
Lisa Vaas details how the Anthem breach was executed in this article in NakedSecurity:
The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.
The four-count indictment alleges that beginning in February 2014 and up until around January 2015, Wang, Doe and other members of the gang hacked into the targeted businesses using “sophisticated techniques” including spearphishing and malware.
They allegedly rigged tailored spearphishing emails with links to malware and sent the messages to employees at the targeted companies. When employees clicked on the links, their systems would get infected by malware that, among other things, planted a backdoor that gave the hackers remote access via their command and control server.
Once in, the suspects and their accomplices moved laterally across the infected network in order to escalate their network privileges and to thereby boost their ability to get at information and to tweak the network environment. They were in no rush, the indictment says. Sometimes, they’d allegedly wait months to take the next step, all the time quietly maintaining their access to the infected network.
Once the time was right, the hackers would allegedly sniff around for valuable personally identifiable information (PII) and confidential business information. In the case of Anthem, that information included names, health identification numbers, dates of birth, Social Security numbers, addresses, telephone numbers, email addresses, employment information and income data, according to the indictment. In other words, a veritable toolkit for identity theft.
Then, the suspects and other hackers allegedly exfiltrated the data using encrypted archives, shuffling it through multiple computers as it wended its way on to its final destination: China. The indictment says they used Citrix ShareFile data storage for data storage and transfer. Then, in an attempt to cover their tracks, they allegedly deleted the encrypted archives.
