Premera Breach – What Happened and Was it Related to the Anthem Breach?

Premera Blue Cross, a major health care services provider, recently disclosed information regarding a data breach that could impact 11 million of its customers. According to Premera’s cyberattack website created to disseminate information about the breach, hackers gained access to their systems and may have accessed customer information including names, addresses, email addresses, telephone numbers, dates of birth, Social Security Numbers, member identification numbers, medical claims information, and bank account information. Premera has stated that they have not yet been able to find evidence that the information was infiltrated from their network or that the information has been used inappropriately. Premera worked closely with Mandiant, a leading cybersecurity firm that specializes in incident response and forensic investigations, to help remove the contamination from their network. They continue to work closely with the FBI in order to determine the extent of the damage while also shoring up their network security defenses to help prevent future incidents. It was disclosed that Premera became aware of the attack on January 29, 2015, but their investigation has turned up evidence that the initial attack occurred as early as May 5, 2014. The timeframe between the date they became aware of the attack and the public disclosure date stands at 47 days, which has caused some people on the internet to question why it took them so long to get the message out to customers. The company said it plans on notifying affected customers via postal letters starting today, and that it will be offering two years of free credit monitoring services to its affected customers. Premera, Mandiant, and the FBI are tight-lipped about the details of the breach given the ongoing investigation, but the internet is buzzing with speculation that this intrusion could be the work of the same group that might have infiltrated Anthem, a state-sponsored hacking group in China most commonly being referred to now as “Deep Panda.” Deep Panda has been known for creating fake websites that impersonate legitimate corporate services for companies. In the case of Anthem, a fake domain name “we11point.com” was created and may have been used by the group for targeted phishing attacks. This typosquatting tactic is often gone unnoticed by customers who click on the links in such phishing emails, allowing attacks to potentially collect user and password information that they could then use to infiltrate internal systems. ThreatConnect was one of the early sources that provided details linking the Anthem breach to such Chinese state-sponsored hacking groups via an in-depth blog post. As of today, they have provided additional details about the similarities between the Anthem breach and the Premera breach that seem to indicate that both attacks may have been carried out by the same organization. Their analysis of the Anthem breach yielding some interesting information that now is abundantly relevant, including a Chinese APT binary discovered as early as December 2013 that was communicating with an IP address that was at one point resolving to the bogus “prennera.com” domain name. With all of the information coming together now regarding Premera, it seems to be entirely possible that they may have been facing breach attempts as early as December 2013. Stay tuned to BeyondTrust for further updates.