Anthem Breach: Symantec Points Finger at ‘Black Vine’ Group

Researchers at Symantec believe they have identified the perpetrators of the major data breach suffered by health insurer Anthem, revealed back in February, which resulted in the loss of up to 80 million confidential patient records.

In a new white paper, Symantec uncovers the details of a cyber-espionage group dubbed ‘Black Vine’, which it says attacked Anthem. The group appears to use sophisticated, custom-developed malware and also shares zero-day exploits with other hacker groups.

Operating since 2012, Black Vine carries out its attacks using two Internet Explorer zero-day vulnerabilities: CVE-2012-4792(‘CDwnBindInfo’ Use-After-Free Remote Code Execution Vulnerability) and CVE-2014-0322 ( Use-After-Free Remote Code Execution Vulnerability).

For many of its attack campaigns – which, in addition to healthcare, target industries including aerospace, aviation, and gas turbine manufacture – Black Vine conducts watering-hole attacks, whereby malicious actors single out and infect a website frequently visited by a target victim group.

The aforementioned zero-days are then used to drop Black Vine’s malware onto the machines of susceptible targets, giving the hackers remote access.

Victims in the United States account for 82% of Black Vine’s malicious activity, with a handful of incidents in Canada, Europe and Asia making up the rest.

The three pieces of custom malware used during the attacks has been identified as Hurix, Sakurel and Mivast, each of which grants access and highly privileged use.

“Based on the samples analyzed in our investigation, Symantec identified that the Black Vine malware variant known as Mivast was used in the Anthem breach. Other third-part[y] vendors also cited Mivast as the malware used in the Anthem attack,” the report states.

In Anthem’s cases, it appears Black Vine bucked the trend of using watering-hole attacks (no evidence of such was found) and instead targeted Anthem’s technical staff with spear-phishing emails.

Contemporaneous use of the same zero-days by other hacking groups has led Symantec to believe that Black Vine is sharing into a zero-day distribution framework called Elderwood.

There is no further indication of who the hackers might be, beyond information published by ThreatConnect that highlights a link between the Anthem hackers and a Beijing-based company called Topsec.

Responding to this trend, Symantec wrote: “The relationship with Black Vine and Topsec provides evidence of the past or present geography of at least some actors involved in this group’s activity.”

What’s Hot on Infosecurity Magazine?