Internet security firm Symantec says it has evidence which shows that Chinese state sponsored hackers stole data on 70 million clients of health insurance giant Anthem.
Labeling the hackers the Black Vine group, Symantec said the group’s espionage activities were ultra-sophisticated and that in what is considered unusual behavior for hackers, the group is very keen to share its hacking secrets with rival hackers. Black Vine had access to Anthem’s files for 300 days before the hack was discovered.
Jon DiMaggio, Symantec’s lead researcher, said The Black Vine group is based in Beijing and possibly has members with ties to rival security company TopSec , which in the past has hired Chinese hackers.
“Based on the samples analysed in our investigation, Symantec identified that the Black Vine malware variant known as Mivast was used in the Anthem breach. Open source data suggests that some actors of Black Vine may be associated with a Beijing-based company known as Topsec.” said DiMaggio.
He said other on-line evidence shows Black Vine also has members who work for Beijing’s secretive National Ministry of State Security (MSS), and that breached data from the Anthem hack may be used to target high profile Anthem clients.
A statement released by Symantec said “If the MSS was involved, we can deduce that the Anthem hack could have been for the purposes of gathering sensitive information for follow-on HUMINT targeting via blackmail, asset recruitment or technical targeting operations against individuals at home.”
Symantec also claimed that four cyber attacked in 2012 and 2014 by Black Vine suggests it is connected to other hacking groups ” built on shared goals” with the groups having worked together. It said in February 2014, Black Vine hacked a U.S. aerospace firm just two days after a separate group hacked into the US Veterans of Foreign Wars computer system.
“The simultaneous attacks between different attack groups seen in 2012 and 2014 exploited the same zero-day vulnerabilities at the same time, but delivered different malware. The malware used in these campaigns are believed to be unique and customized to each group. However, the concurrent use of exploits suggests a shared access to zero-day exploits between all of these groups,” read the Symantec statement.
It said Black Vine targets organisations connected with healthcare, energy, and aerospace, all of which have been heavily attacked by Chinese cyber warriors over the past ten years.