Anthem breach enabled by compromising administrator credentials
As an internal investigation continues into the massive data breach reported last week by Anthem, the company has confirmed reports that administrators who discovered the breach in late January noticed unusual activity on Anthem’s database systems – specifically that queries were being run against the database using the authenticated accounts of Anthem administrators. This information suggests that the attackers were able to access the database and retrieve data from it because they were in possession of valid administrator credentials. What’s less clear is how or when those credentials were compromised, or what level of authentication was required of administrators logging on to the database. If it turns out, as some observers have surmised, that one or more of Anthem’s administrators was victimized by a phishing attack, then this would also suggest that database administrators require only usernames and passwords to authenticate to the database. Presumably the successful attackers also needed to penetrate the insurer’s network perimeter in order to directly access the database, so perhaps a review of remote access logs associated with the compromised accounts will help confirm or refute the source of the attack.
Much has been made in the press of the fact that the data stolen from Anthem was not encrypted (which is recommended but not required under HIPAA). If the retrieval of the data occurred using administrator accounts, however, then any database-, drive-, or server-level encryption of data at rest would have been irrelevant because such data is typically decrypted on-the-fly when it is accessed by authorized users. The type of encryption advocated to protect health data is most useful to mitigate the physical theft of computers, hard drives, or removable media (such as backup tapes), or to safeguard sensitive data contained in database extracts or files to be electronically transferred from one location to another.
From the beginning, Anthem has characterized the breach as the result of “a very sophisticated external cyber attack.” Nothing the subsequent reporting or purported expert analysis has yielded evidence to the contrary – in fact there are indications that the breach itself may have been the culmination of an effort that began many months earlier with a concerted and prolonged attack consistent with an “advanced persistent threat.” To help with its investigation of the breach, Anthem has engaged security consultant Mandiant, a firm probably best known in security circles for bringing to light the allegedly Chinese government-sponsored cyber espionage group the company terms “APT1.” Although it is most likely a coincidence, according to initial reports from the Anthem investigation Chinese hackers are the leading suspects behind the breach.