Cybersecurity experts say it's likely the same Chinese hackers who recently breached the records of at least 4 million government workers were also responsible for the cyberattacks against insurers Anthem, Premera and CareFirst.
A cybersecurity expert told Modern Healthcare that all of the attacks share a similar digital certificate and technique, while the New York Times has reported that federal officials and cybersecurity experts have little doubt that hackers in China are to blame for the recent breach at the Office of Personnel Management as well as the Anthem and Premera hacks.
Researchers at information technology security firm ThreatConnect have found that an individual or individuals in China registered several domains with similar spellings to the affected companies' names, such as “prennera,” “welpoint,” “caref1rst” and “careflst.” Rich Barger, the firm's chief intelligence officer, said it's likely that hackers used these and OPM-related domain names to create phishing e-mails to trick corporate leaders into giving them access to their systems.
Because ThreatConnect is not directly involved in the forensic analysis at any of the organizations involved, its researchers can't be sure that these domains were used in the attacks. None of the companies nor the FBI have reported that the attacks were the result of phishing, but Barger said that his team's research and other feedback has led them to believe that the domain names were used in these attacks.
ThreatConnect staffers connected the dots using the company's threat intelligence platform, which allows customers to aggregate and analyze threat intelligence with the help of external intelligence from third parties. Barger said the firm believes that the hackers are with the Chinese government, in part because they don't appear to be motivated to sell or use the information to steal identities.
“Why would anyone want a bunch of health records?” Barger said. “We're not seeing it sold. We're seeing targeted Chinese activity.”
Customer health records can actually be very valuable to an identity thief, but Barger's team has hypothesized that, even with the Blue Cross hacks, the specific goal of the Chinese hackers has been to obtain information on federal employees, who make up a notable portion of the 106 million Americans covered by various Blue Cross and Blue Shield Companies.
CareFirst alone covers 577,000 members in the Federal Employees Health Benefits Program, which it claims is the largest enrollment among companies participating in the program. As of late last year, the FEHB insured 8.2 million employees, retirees and family members.