The Enduring Mystery of Who Hacked Anthem

When American prosecutors unsealed an indictment on Thursday charging two individuals operating out of China, one of whom is a Chinese national, for their involvement in a massive breach of the American health insurer Anthem, one thing was notably missing from the indictment: any mention of Chinese state involvement.

The 2015 breach at Anthem compromised some of the most intimate data belonging to nearly 80 million Americans, and U.S. security companies quickly linked the breach to hacking groups based in China. Investigators also uncovered evidence linking the Anthem breach to the Chinese raid on the Office of Personnel Management that pilfered sensitive material on some 22 million Americans the same year.

Some analysts concluded the two breaches may have been part of a broader Chinese strategy to scoop up massive amounts of data on Americans in an effort to build a large database that could be used to identify U.S. operatives inside China and to identify Americans for possible recruitment.

But in charging documents unveiled on Thursday, U.S. prosecutors made no mention of Chinese state involvement, describing the scheme to steal millions of Social Security numbers, employment information, and income data as part of a criminal operation to break into the company’s computer systems.

That decision has befuddled some researchers who have examined the case. Given the material that was being stolen, the sophistication of the operation, and the resources invested in it, “this has the hallmarks of an espionage campaign,” said Jon DiMaggio, a senior threat intelligence analyst at the anti-virus company Symantec.

In a 2015 report, DiMaggio traced the operations carried out by the group responsible for hacking into Anthem, which he dubbed “Black Vine,” and found that it had executed a series of attacks against firms in the aerospace, energy, and health care sectors. The group used custom-written malware against its targets, utilized previously unknown software vulnerabilities (better known as zero-day vulnerabilities), and spent months examining the computer systems it penetrated to ensure that it hadn’t been detected.

That same year, researchers at the security firm ThreatConnect found that the technical infrastructure used in the Anthem attack was linked to the Chinese computer security firm Topsec, which has strong links to its country’s security establishment.

Despite what appears to be a wealth of evidence connecting the Anthem hackers to the Chinese state, U.S. prosecutors appear to have held back from including any mention of Beijing’s intelligence agencies either because they couldn’t make the case in open court or out of a desire to reveal more down the road.

David Hickton, a former U.S. attorney and a pioneering prosecutor of cybercrime cases, told Foreign Policy that Thursday’s indictment was “carefully drawn,” and he suggested that “there is more to it and more to come.”

In recent months, the U.S. Justice Department has not shied away from aggressively prosecuting Chinese intelligence operatives. In December 2018, the department charged two hackers with acting on behalf of China’s powerful Ministry of State Security in an audacious scheme to break into the computer systems of global information technology companies and steal their clients’ intellectual property. In October 2018, the department indicted a group of 10 Chinese intelligence officers and their recruits on charges they attempted to break into the computer systems of aerospace companies to steal sensitive data.

These indictments have come amid an effort by the Justice Department to crack down on Chinese economic espionage and covert influence. Announced in November 2018, the so-called China Initiative aims to quickly bring trade theft cases to court, to more aggressively review foreign investments in the United States, and to better enforce the Foreign Agents Registration Act, which regulates attempts by foreign countries to influence U.S. politics.

This crackdown has been part of a broader chill in U.S.-China relations. This week, a last-minute effort to prevent a broader U.S.-China trade war ended without an agreement. Meanwhile, American regulators are applying greater scrutiny to Chinese investments in the United States, suspending some visas for Chinese academics, and moving to ban Chinese telecommunications companies from providing gear to American network infrastructure.

A spokesman for the Justice Department did not answer questions about whether the Anthem indictment should be considered a part of its China crackdown. He declined to answer questions about why the indictment did not address possible Chinese state involvement in the Anthem breach.

Assistant Attorney General Brian Benczkowski on Thursday described the Anthem hack as “one of the worst data breaches in history.” The indictment of the two individuals charged in the case, Fujie Wang and a person known only as John Doe, describes them as highly technically proficient, and the inability of prosecutors to determine the real identity of the second hacker charged may be one indication of their technical savvy.

Given the proliferation of Chinese hacker groups, the apparent reluctance to name a Chinese state institution potentially involved in the Anthem breach may stem from the sheer difficulty of untangling the relationships between Beijing’s security services and the large number of hackers working in the country.

“The fact that they couldn’t be connected to a government agency doesn’t mean that they’re not,” said John Hultquist, the director of intelligence analysis at the security firm FireEye.

Hultquist said his researchers have observed freelance hackers working on behalf of China carrying out operations against targets that appear to have been assigned by that country’s intelligence agencies while at the same time carrying out separate operations on their own behalf for financial gain.

Separating which activity is criminal and which is part of espionage represents a significant challenge for researchers trying to understand Chinese state-backed hacking. The difficulty in separating the two provides intelligence organizations a degree of cover, masking intelligence operations as criminal enterprises.

“These third parties do a tremendous amount of their own activity,” Hultquist said.

Criminal hackers could be collecting data such as that stolen from Anthem as part of Chinese efforts to build up its biotech industry, said Adam Segal, who directs the Digital and Cyberspace Policy Program at the Council on Foreign Relations. Raiding Anthem customer information could, for example, yield “interesting biological health data for Chinese firms trying to do drug discovery,” Segal said.