Anthem

Overview

Anthem, one of the largest health insurance providers, was revealed to have been breached in 2015 as hackers gained access to the health insurer's database. Personal information of nearly 80 million individuals, including current and former customers and employees was leaked. The attackers executed a sophisticated spear phishing campaign to compromise employee credentials, allowing them to gain access to Anthem's network and exfiltrate data. The stolen information included names, dates of birth, Social Security numbers, and medical data, raising concerns about identity theft and privacy violations. The incident exposed the vulnerability of healthcare organizations to cyber threats highlighted and the importance of proper cybersecurity measures to protect patient information.

Vulnerability Details

The group “Deep Panda”, responsible for the Anthem breach, utilized advanced techniques, such as targeted spear phishing campaigns and a novel attack framework written in javascript. The term APT (Advanced Persistent Threat) refers to a skilled and determined adversary with advanced capabilities.

Hackers posed as Anthem's HR and IT services within emails, and used typosquatting to create fake and malicious websites resembling legitimate domains. The phishing emails contained malicious attachments and embedded links leading to these typosquat domains, myhrsolutions.we11point.com and extcitrix.we11point.com. Once opened, the malware exploited various capabilities, including establishing backdoor channels, executing files and commands, and collecting and sending information about the infected computer.

Lab Terminal

In this terminal activity, students will investigate typosquatting, a technique commonly used in phishing campaigns to steal user credentials. This activity connects to the Anthem breach, where attackers used targeted phishing to compromise employee accounts and gain access to sensitive healthcare data. By examining typosquatted versions of major domains like twitter.com and google.com, students will see how attackers register deceptive look-alike domains to trick users into revealing login information. Students will analyze typo patterns, review domain ownership information, examine DNS records, and distinguish between malicious domains and defensive registrations used for brand protection. This exercise reinforces how small domain changes can enable large-scale data breaches and why domain monitoring, employee awareness, and multi-factor authentication are critical defenses.

Instructions:

  • Use the help command to explore available commands.
  • View the various typosquatted domains of twitter.com: urlcrazy twitter.com
  • View the various typosquatted domains of google.com: urlcrazy google.com
  • Identify a visually deceptive domain like ggoogle.com.
  • Examine the WHOIS registration information for the domain and identify the registrar, registrant organization, and nameservers whois ggoogle.com.
  • Examine the DNS records for the domain and determine whether the domain resolves to an IP address dig ggoogle.com.
  • In Google.com's domain report, many typosquatted domains appear to belong to Google. Think about why large organizations register these domains themselves.

Review Questions

What is an APT?
What is spear phishing? How does it differ from regular phishing?
How could behavioral analysis help discover the attack?
Could data encryption have helped prevent damage caused by the attack?
Could Multi-Factor Authentication (MFA) have potentially prevented such attacks used against Anthem?