The Anthem breach was one of 2014’s most significant data breaches. Attackers are believed to have ex filtrated the records of millions of Anthem customers. It is widely believed that the attackers started penetrating the Anthem network around Jan 2015, but our research indicates otherwise. We believe that the attack on Anthem’s network began around April 2014 and that the attackers remained in the network, undetected, for about nine months.
We believe that the threat group behind the Anthem breach was China’s Deep Panda. The group is also known to use the alias’ Axiom, Shell_Crew, KungFu Kittens, Web Masters, PinkPanther, and SportsFans.
Although very few details are available publicly about how this attack started, if one connects the dots , a picture of what likely happened around April 2014 emerges.
We believe it all started with an email. The attackers sent a phishing email to one of Wellpoint’s employees (Anthem was called WellPoint back in April 2014) that enticed the employee to run a “Citrix Gateway Secure Input” setup. The binary was actually a well-known backdoor named Sakula. Once the employee ran the binary (‘SecureInput.exe’), Sakula installed itself and their machine was infected. The next step was to launch a phishing page on the user’s screen that resembled the login page of Anthem’s corporate Citrix web gateway.
Fig1: Original WellPoint Citrix Gateway
This is a classic phishing attack, where the attackers registered a domain (www.we11point.com) that is visually similar to the victim’s corporate web site (www.wellpoint.com). Unsuspecting users did not notice that the phishing domain was we11point.com, where there were two 1’s instead of two L’s.
It is not hard to imagine what happened next. Victims entered their credentials into the fake login page. The hijacked credentials were then sent to the attacker’s command and control servers. Once the attackers acquired valid credentials, it was a simple matter for them to penetrate the entire Anthem/Wellpoint network. This lateral movement eventually resulted in the compromise of confidential data.
Fig 2: Fake Citrix Gateway Setup
Fig3: Phishing Page sinkholed by security researchers at the moment.
The Sakula malware is known to be used by the Chinese threat actor “Deep Panda”. Deep Panda acts covertly and is known to use techniques that leave no traces of a network breach. In fact, a look at Sakula’s scan history shows how it remained undetected by the top 55 vendors listed on VirusTotal for about 9 months.
Deep Panda is credited with breaching various government agencies, major airlines, and the veteran affairs administration using TTP’s (Tools, Techniques & Procedures) such as diskless malware (run from memory) and WebShells (compromised backdoor web servers), to hide their tracks. They are well known for their use of sophisticated RAT’s (Remote Access Trojans), such as Sakula, to gain complete control of an infected machine.
It’s surprising that a simple phishing technique combined with a known but polymorphic malware can compromise a well-protected network, but it happens all the time.