Anthem

Target Audience

Undergraduate
Graduate

Keywords

anthem
email phishing
active persistent attack (APT)
scanbox
data dripping

Introduction

Overview

Anthem, one of the largest health insurance providers, was revealed to have been breached in 2015 as hackers gained access to the health insurer's database. Personal information of nearly 80 million individuals, including current and former customers and employees was leaked. The attackers executed a sophisticated spear phishing campaign to compromise employee credentials, allowing them to gain access to Anthem's network and exfiltrate data. The stolen information included names, dates of birth, Social Security numbers, and medical data, raising concerns about identity theft and privacy violations. The incident exposed the vulnerability of healthcare organizations to cyber threats highlighted and the importance of proper cybersecurity measures to protect patient information.

Vulnerability Details

The group “Deep Panda”, responsible for the Anthem breach, utilized advanced techniques, such as targeted spear phishing campaigns and a novel attack framework written in javascript. The term APT (Advanced Persistent Threat) refers to a skilled and determined adversary with advanced capabilities.
Hackers posed as Anthem's HR and IT services within emails, and used typosquatting to create fake and malicious websites resembling legitimate domains. The phishing emails contained malicious attachments and embedded links leading to these typosquat domains, myhrsolutions.we11point.com and extcitrix.we11point.com. Once opened, the malware exploited various capabilities, including establishing backdoor channels, executing files and commands, and collecting and sending information about the infected computer.

Learning Objectives

Describe the Anthem data breach in 2015
Explain email phishing and its role in this breach
Explain Advanced Persistent Threat (APT) and possible motives
List possible strategies to prevent this kind of attack
Compare and contrast the Anthem and Target breaches

Download

Includes a PDF case study adapted from a real-world cyber breach
Guided questions for student engagement
Instructor materials including context and background
All content packaged in a downloadable ZIP file

Remote Terminal

Terminal Description

In this lab, we will examine typosquatting, a very common technique used by attackers to phish for credentials. You will search for popular websites and analyze their various typosquatted domains.

Use the help-module5 command to explore available commands.
View the various typosquatted domains of twitter.com
View the various typosquatted domains of google.com
Examine the different typo types used by attackers
Examine the nameservers of the typosquatted domains
In Google.com's domain report, a majority of the typosquatted domains seem to belong to Google. Think about why this is the case

Module Questions

What is an APT?APT is a type of malware designed to target users through malicious email attachmentsAPT is a short-term attack aimed at disrupting an organization's operationsAPT is a sophisticated and complex cyberattack carried out by a skilled and determined adversaryAPT is a type of DoS attack that floods a target server with malicious traffic to make it inaccessible

What is spear phishing? How does it differ from regular phishing?Spear phishing targets individuals based on social media activity, while regular phishing targets random email addressesSpear phishing is a targeted form of phishing that uses emails tailored to a specific individual or organization, while regular phishing uses generic emails sent out at randomSpear phishing involves using voice calls to deceive victims, while regular phishing relies solely on email communicationSpear phishing relies on exploiting software vulnerabilities, while regular phishing relies on tricking users into revealing sensitive information

How could behavioral analysis help discover the attack?Behavioral analysis focuses solely on analyzing network traffic and does not aid in detecting malicious activitiesBehavioral analysis helps identify attack patterns by analyzing the behavior of potential victims rather than the attackersBehavioral analysis involves monitoring and analyzing user activity and system behavior to detect deviations from normal traffic, which can indicate a potential attackBehavioral analysis relies on analyzing physical behaviors rather than digital activities and is not relevant to cybersecurity

Could data encryption have helped prevent damage caused by the attack?No, data encryption is not effective against cyberattacks like the one on AnthemYes, data encryption can ensure that sensitive information remains protected even in the case that attackers gain access to the systemNo, data encryption only protects data while it is stored, it does not prevent unauthorized access to sensitive information during an attackYes, data encryption scrambles data into unreadable format, making it difficult for attackers to access and exploit sensitive information

Could Multi-Factor Authentication (MFA) have potentially prevented such attacks used against Anthem?No, MFA only adds complexity to the authentication process and does not offer significant protection against cyber threatsYes, MFA requires multiple forms of verification, such as passwords and biometrics, making it a solid defense in preventing unauthorized access to sensitive systems like AnthemsNo, MFA is very vulnerable to sophisticated social engineering tactics used in the Anthem attackYes, MFA provides an additional layer of security that would have certainly thwarted unauthorized access attempts in the Anthem breach