Researchers link Chinese to Anthem, OPM hacks

Cyber intelligence firm ThreatConnect Inc. claims evidence links Chinese state-sponsored hackers to multiple high-profile attacks.

Cybersecurity intelligence firm ThreatConnect released a detailed study Friday that the company says shows that Chinese state-sponsored hackers are likely behind the massive data breach at health insurance firm Anthem Inc., as well as attacks against a U.S. defense contractor and the Office of Personnel Management.

In a report posted on the company’s website and in interviews, analysts said detailed forensic analysis of malware and attack infrastructure used in the attacks against Anthem, Premera Blue Cross, defense contractor VAE Inc. and OPM points to known Chinese state-sponsored threats.

“This entire series of campaigns is shrouded in indicators of Chinese advanced persistent threats,” Richard Barger, chief intelligence officer at ThreatConnect, told FedScoop. “From the actors themselves, their motivations and the benefactors of the information taken, to the technical capability that the attackers used in whole campaigns overlap. The technical infrastructure in some cases also overlaps.”

The firm linked the attacks to servers used by a Chinese security company funded partially by the Chinese People’s Liberation Army, or PLA, and a Chinese university with known ties to the Chinese government and intelligence services. The two organizations are known to have sponsored a joint hacking competition known as TOPSEC Cup.


Although last year’s OPM breach was not a central thrust of the investigation, Barger said the company discovered a significant amount of incriminating evidence to suggest the same attackers are likely behind all of the attacks. “We found some overlays with the malware and a digital certificate that was used in the malware that specifically used a static IP for command and control that we were able to trace to a Chinese-registered domain that had a very curious OPM theme in and around the time that we knew [the agency] was targeted,” Barger said.

“It’s difficult to say that all of these campaigns are linked to the same warm body sitting behind the keyboard, but we can find notable technical overlaps across all of these numerous campaigns, which suggests that there’s potentially a single enabler,” he said.

The potential linkage between the incidents suggest a wider effort to gather personal information across a variety of organizations that store and process federal employee data for the purpose of targeting individuals outside the protection of government networks, Barger said. “We believe that the information that could have been taken in those campaigns and incidents could be used together to enable a variety of follow on secondary targeting, whether that is human recruitment to technical surveillance and exploitation,” he said. “You could use that information to send targeted spear phishing campaigns at my home, which is outside the coverage of .gov or .mil network defenses.”

Latest Podcasts