The breach that compromised personal information for roughly 80 million Anthem members announced earlier this year was likely the work of a sophisticated cyberespionage group, according to a whitepaper from software company Symantec. It calls the hackers "Black Vine."
"Black Vine is a formidable, highly resourced attack group, which is equipped to conduct cyberespionage against targeted organizations," Symantec said in a blog post. "Based on our records of its past campaigns, Symantec believes that Black Vine's malicious activity will continue."
The Anthem attack, the largest known breach to date in the healthcare industry, was already linked to China. Hackers used the same Chinese software in an attempted attack on Reston, Virginia-based defense contractor VAE, FierceHealthIT previously reported.
Symantec says it's likely that some Black Vine actors are connected to a Beijing-based IT security firm called Topsec.
- Other third-party vendors cited the same variant in their research into the attack
- The Anthem attackers also used a digital certificate to sign the malware, which was seen before in other Black Vine attacks
- Multiple domains used in the Anthem breach were found on Black Vine's infrastructure
Symantec determined that Black Vine has been conducting attacks since at least 2012, focusing on the healthcare, energy and aerospace industries. In many of its attacks, Black Vine delivered malware onto the victim's computer after exploiting a zero-day vulnerability through watering-hole attacks.
Once the malware was on the computer system, Black Vine was able to open back doors and execute files and commands, delete, modify and create registry keys and gather information from the infected computer.