8 June 2015

Chinese Hacking of U.S. Data May Extend to Insurance Companies

By NICOLE PERLROTH, DAVID E. SANGER and JULIE HIRSCHFELD DAVIS 
JUNE 5, 2015 

SAN FRANCISCO — The same Chinese hackers who breached the records of at least four million government workers through the Office of Personnel Management appear to have been responsible for similar thefts of personal data at two major health care firms, Anthem and Premera, according to cybersecurity experts.

The multiple attacks, which began last year and were all discovered this spring, appear to mark a new era in cyberespionage with the theft of huge quantities of data and no clear motive for the hackers.

There is no evidence that the data collected was used for criminal purposes like faking identities to make credit card purchases. Instead, the attackers seem to be amassing huge databases of personal information about Americans. Some have high-level security clearances, which the Office of Personnel Management handles, but millions of others do not, and the reasons for their records being taken have puzzled investigators.

All of the attacks have one thing in common: The United States government has traced them to China, though it is unclear whether the attackers are working for the state.

Millions of records for American workers were stolen from the Office of Personnel Management in Washington by hackers. 

JAMES LAWLER DUGGAN / REUTERS 

Based on forensics, security experts believe the attackers are not one of the hacking units of the People’s Liberation Army, which were named in a federal indictment last year that focused on the theft of intellectual property. Researchers say these hackers used different tools than those utilized by the Liberation Army’s Third Department, which oversees cyberintelligence gathering. But that does not exclude another state-sponsored group, or the adoption of new technologies that are harder to trace.

What marks all of the attacks is the scale and ambition of the data sweeps. When Premera said it was the victim of an attack that exposed medical data and financial information, it appeared to involve 11 million customers. Anthem’s involved upward of 80 million social security numbers. Medical records, like the government’s personnel records, contain Social Security numbers and birth dates; the medical data sometimes is linked to bank accounts as well.

In February the F.B.I. issued an alert, circulated to a restricted number of major firms and first revealed by Brian Krebs, a security researcher, that said bureau investigators had “received information regarding a group of cyberactors who have compromised and stolen sensitive business information and personally identifiable information (P.I.I.) from U.S. commercial and government networks through cyberespionage.”

But the theft of personal information has typically been the realm of cybercriminals, who sell it on the underground market where it can be used to break into someone’s email, bank or trading account, typically for identity theft. In this case, however, researchers say the group that stole the personal information was known for cyberespionage, which indicates that spies are no longer stealing just American corporate and military trade secrets, but also personal information for some later purpose.

The intrusions also suggest that President Obama’s efforts over the past three years to engage China’s leadership in a dialogue that would limit cyberattacks has failed. The pace of the attacks is unabated, and the scope has grown. Chinese officials say they, too, are victims, and on Friday the Chinese foreign ministry said the United States was leaping to conclusions about the source of the attacks based on evidence it has not made public. Beijing dismissed the United States allegations that China was the source of an attack on federal workers’ data as “unscientific and irresponsible.”

“We hope the American side won’t continue this layer upon layer of suspicion and groundless accusations,” Hong Lei, a Ministry of Foreign Affairs spokesman, said at a regularly scheduled news conference.

Just what the attackers plan to do with Social Security numbers and other personal information for four million current and government workers, and millions more insured by Anthem and Primera, is not yet clear.

“We believe they are creating a tremendous database of P.I.I. that they reach back to for further activity,” said John Hultquist, the senior manager of cyberespionage threat intelligence at iSight, a security firm. “It looks like they are casting a very wide net, possibly for follow-on operations or identifying persons of interest, but we’re in a new space here and we don’t entirely know what they’re trying to do with it.”

Mr. Hultquist and his team had been investigating the attacks at Anthem and Premera, in which hackers started naming their web domains after their targets. They named one of those domains Wellpoint, though with only with one “l,” to mimic a site used by Anthem, and soon iSight’s researchers saw the hackers creating new infrastructure for other attacks. They also created some other new sites, including two named for the Office of Personnel Management, before they breached the Federal agency. In every case, the group went after personal information.

However, iSight stopped short of pinning the attacks on Chinese hackers.

The attack at the Office of Personnel Management is one of the largest breaches of federal employees’ data. It is also the third major intrusion of a federal agency in the last year. Last year, both the White House and State Department were breached by hackers that government officials believe were Russian.

It is unclear why American government agencies were vulnerable to such an extent, or why those agencies left critical data unencrypted. A report from the Government Accountability Office last year found that government agencies have inadequately responded to cyber breaches. The report found that 24 major federal agencies had been breached, and that in about 65 percent of cases, the agencies did not completely document their response to cyber incidents.

American officials are scheduled to meet with their Chinese counterparts at an annual “Strategic and Economic Dialogue” later this month and government officials have said they will make cyberattacks a top item for discussion. But they have done so before.

In an attempt to deter the kinds of attacks that have left federal agencies reeling, President Obama signed a a new executive order in April that established the first sanctions aimed at curbing foreign cyber espionage and theft. The order authorized financial and travel sanctions against anyone participating in online attacks that posed a threat to the “national security, foreign policy, or economic health or financial stability of the United States.” But so far the new order has not been used.

In this case there seemed to be little doubt among federal officials that the attack was launched from China. But the administration did not publicly identify Chinese hackers as the culprits, perhaps because it is difficult to definitively attribute the source of cyberattacks and to back up such an attribution without divulging classified data, or perhaps because of a broader diplomatic strategy.

The F.B.I. said it was working with other agencies to investigate the matter. “We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace,” Joshua Campbell, a spokesman, said in a statement.

Nicole Perlroth reported from San Francisco, and David E. Sanger and Julie Hirschfeld Davis from Washington. Austin Ramzy contributed reporting from Hong Kong.

No comments: