Premera Blue Cross is the latest victim of what appears to be a long-term APT perpetrated by China. Between CHS, Anthem and now Premera Blue Cross, it's now safe to say health insurance is firmly in the cross hairs of powerful nation state actors.
Brian Krebs from krebsonsecurity.com reports,
Premera Blue Cross, a major provider of healthcare services, disclosed today that an intrusion into its network may have resulted in the breach of financial and medical records of 11 million customers. Although Premera isn't saying so just yet, there are indicators that this intrusion is once again the work of state-sponsored espionage groups based in China.
The indicators are the similarities between methods used, according threat intelligence gathered by ThreatConnect. Jeremy Kirk from cio.com explains that ThreatConnect discovered a similarly mis-typed domain called prennera.com tied to malicious infrastructure connected to Deep Panda, the group that breached Anthem.
In Anthem's case, the URL was we11point.com, a spoofed version of wellpoint.com (Wellpoint eventually became Anthem). The URLs are embedded in emails and sent to employees. Behind the URLs is malicious infrastructure that phishes for information like login credentials or spreads data-stealing malware.
In the Anthem attack, subdomains referencing internal services used by employees were discovered. The purpose was clearly to spoof services into visiting the malicious domains. By typosquatting URLs that closely resembled official domains, the malicious emails could bypass email filters.
Further obfuscating the malware was the use of digitally signed software certificates from a Korean based company called DTOPTOOLZ Co. This ties back to a RAT (remote access tool) called Derusbi, which is a known Deep Panda tool.
If it is indeed a Chinese APT group, the scary question remains: Why is China so interested in our personal records? Selling the data for profit is an unlikely motive. Plus, to date no one has seen any evidence that the data stolen from CHS, Anthem and now Premera Blue Cross has appeared on the black market.
However, having someone's PII in combination with his or her login credentials grants an attacker access to pretty much everything. PHI (personal health information) can tell you if someone suffers from an embarrassing ailment or has physical vulnerabilities you can exploit. While cyber thieves are after money, nation states are after bigger game.
Thus far, Deep Panda's methods have been relatively low-tech. They use easy-to-access commercial malware and SPAM. The key to their success appears to be their ability to bypass email filters using well-crafted fake emails and recognizable domains.
This is a serious threat. Large organizations receive millions of emails per day, and only a tiny percentage of them may be malicious. No matter how effective email filters become, malware is still getting through.
CISOs responsible for protecting PII and PHI and looking to stay one step ahead of their adversary need greater visibility. When domains are registered that spoof those belonging to their organization, CISOs and their teams need an automated way to detect and test them to determine if they're malicious. Just as attackers' tactics evolve, so must enterprise security intelligence.