Anthem Breach: a Slow and Silent Attack

Experts at Check Point security firm analyzed the recent data breach suffered by Anthem, the nation’s second-largest health insurer.

The attack on Anthem, the second-largest health insurer in the U.S., which exposed identifiable personal data of tens of millions of people, was probably not a smash-and-grab raid but instead a sustained, low-key siphoning information over a period of months. The breach was designed to stay below the radar of the company’s IT and security teams, using a bot infection to smuggle data out of the organisation.

According to statements released by Anthem, the first signs of the attack came in the middle of last week, when an IT administrator noticed a database query was being run using his identifier code when he had not initiated it. The company determined that an attack had occurred, informed the FBI and hired an external security consultant to investigate.

Investigators reported that customized malware was used to infiltrate Anthem’s networks and steal data. The exact malware type was not disclosed but is reported to be a variant of a known family of hacking tools. However, an independent security consultancy reports that the attack may have been started up to three months earlier. The consultancy said that it noticed ‘botnet type activity’ at Anthem affiliate companies back in November 2014.

This would not be surprising, as long-term bot activity is commonplace in enterprises. Check Point’s 2014 Security Report, based on monitored events at over 10,000 organisations worldwide, found that at least one bot was detected in 73% of companies, up from 63% the year before. 77% of bots were active for over four weeks and typically communicated with their ‘command & control’ every three minutes.

Bots are able to avoid detection because their developers use obfuscation tools to enable them to bypass traditional signature-based antimalware solutions. As such, threat emulation, also known as sandboxing, should be used as an additional layer of defence to stop bots before they can infect networks. Anti-bot solutions should also be deployed to help discover bots, and prevent further breaches by blocking their communications.

It’s also important that organisations segment their networks, separating each segment with layers of security to prevent bot infections spreading widely. Segmentation can contain infections in one area of the network, mitigating the risks of the infection accessing and breaching sensitive data in other network segments.

With these three preventative approaches, companies can dramatically reduce their exposure to the type of slow, stealthy bot attack that appears to have struck Anthem, and avoid being the victim of such a large-scale breach.

About the Author

Article written by the Check Point staff

[adrotate banner=”9″]

[adrotate banner=”12″]

Edited by Pierluigi Paganini

(Security Affairs – Anthem, Data Breach)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.