The US authorities have charged a Chinese man for his role in the massive 2015 information-stealing raid on health insurer Anthem, which affected nearly 79 million customers.
Fujie Wang, 32, and another man charged as John Doe, have been indicted for attacks on four US businesses, including a “basic materials” firm, a tech company and a communications business.
According to the court documents unsealed last week in Indianapolis, the two are charged with one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two substantive counts of intentional damage to a protected computer.
They are alleged to have sent spear-phishing emails to employees in the targeted businesses, of which only Anthem has been named. Once users clicked on a malicious link, a backdoor was covertly downloaded to give the hackers remote access to the corporate network.
They then waited several months before performing reconnaissance work on Anthem’s data warehouse in October and November 2014. Once the sough-after data was found, in January 2015 it was placed into encrypted archive files and exfiltrated before being sent to China.
The files were then deleted from the victim networks to avoid detection, according to the Department of Justice (DoJ).
Wang is alleged to have controlled two domain names linked to the campaign, including one domain name associated with a backdoor used to attack one business, and another linked to an email account used to spear-phish victims of a separate targeted company.
Personally identifiable data (PII) on around 78.8 million Anthem customers was stolen, including names, health identification numbers, dates of birth, Social Security numbers, addresses, telephone numbers, email addresses, employment information and income data.
The breach is still one of the biggest ever recorded in the healthcare sector. In 2017 Anthem agreed to pay $115m to settle lawsuits brought by customers, in what lawyers at the time said was the largest ever settlement for a data breach.
However, the firm admitted no wrongdoing during that case, and it was praised by officials last week for its incident response following the attack.
“Anthem's cooperation and openness in working with the FBI on the investigation of this sophisticated cyber-attack was imperative in allowing for the identification of these individuals. This also speaks to the strong partnerships the FBI has with the private sector, as well as the tenacity and global reach of the Bureau,” said special agent in charge Grant Mendenhall.
“It should also be noted that the speed with which Anthem initially notified the FBI of the intrusion on their networks was also a key factor in being able to determine who was responsible for the breach and should serve as an example to other organizations that might find themselves in a similar situation.”
There have been suggestions that the attack was state-sponsored, as an Anthem spokesperson in 2017 claimed there was no evidence that any of the data was sold or used in identity fraud. However, the real motives remain a mystery for now.