Anthem

Overview

Anthem, one of the largest health insurance providers, was revealed to have been breached in 2015 as hackers gained access to the health insurer's database. Personal information of nearly 80 million individuals, including current and former customers and employees was leaked. The attackers executed a sophisticated spear phishing campaign to compromise employee credentials, allowing them to gain access to Anthem's network and exfiltrate data. The stolen information included names, dates of birth, Social Security numbers, and medical data, raising concerns about identity theft and privacy violations. The incident exposed the vulnerability of healthcare organizations to cyber threats highlighted and the importance of proper cybersecurity measures to protect patient information.

Vulnerability Details

The group “Deep Panda”, responsible for the Anthem breach, utilized advanced techniques, such as targeted spear phishing campaigns and a novel attack framework written in javascript. The term APT (Advanced Persistent Threat) refers to a skilled and determined adversary with advanced capabilities.

Hackers posed as Anthem's HR and IT services within emails, and used typosquatting to create fake and malicious websites resembling legitimate domains. The phishing emails contained malicious attachments and embedded links leading to these typosquat domains, myhrsolutions.we11point.com and extcitrix.we11point.com. Once opened, the malware exploited various capabilities, including establishing backdoor channels, executing files and commands, and collecting and sending information about the infected computer.

Lab Terminal

In this terminal activity, students will investigate typosquatting, a technique commonly used in phishing campaigns to steal user credentials. The activity connects to the Anthem breach, where attackers used targeted phishing to gain employee access and exfiltrate sensitive data. By examining typosquatted versions of major domains like twitter.com and google.com, students will see how attackers register deceptive look-alike domains to trick users into revealing login information. Students will analyze the types of typos used, review the nameservers tied to suspicious domains, and understand why companies often register these variants themselves for brand protection. This exercise reinforces how seemingly small domain changes can enable large-scale data breaches and why employee awareness and domain monitoring are critical defenses against such threats.

Instructions:

  • Use the help command to explore available commands.
  • View the various typosquatted domains of twitter.com: urlcrazy twitter.com
  • View the various typosquatted domains of google.com: urlcrazy google.com
  • Examine the different typo types used by attackers
  • Examine the nameservers of the typosquatted domains
  • In Google.com's domain report, a majority of the typosquatted domains seem to belong to Google. Think about why this is the case

Review Questions

What is an APT?
What is spear phishing? How does it differ from regular phishing?
How could behavioral analysis help discover the attack?
Could data encryption have helped prevent damage caused by the attack?
Could Multi-Factor Authentication (MFA) have potentially prevented such attacks used against Anthem?