The recent indictment of two Chinese nationals for the 2015 hack on Anthem that compromised more than 78 million health records, including 4 million U.S. government employees, moves the provenance of the intrusion from the theoretical to reality: China conducted the hack.
Simultaneously, China also hacked the U.S. Office of Personnel Management, which compromised as many as 20 million records containing the history of personnel who had applied for or been granted national security clearances.
China and Anthem
The fact that a nation-state, China, was behind the Anthem hack did not diminish the actions of the U.S. Department of Health and Human Services’ Office of Civil Rights, which forced the company to pay $16 million. The payment, a resolution amount, was part of a settlement that eclipsed the previous high of $5.55 million paid to OCR, in 2016. The October 2018 settlement also required Anthem to adopt a corrective action plan (CAP) in which the company would adjust its processes and procedures, to be observed by the HHS/OCR for two years.
China and OPM
The OPM breach of 2015 compromised the content of the U.S. government’s security clearance database, which included the highly sensitive Standard Form 86. The compromised data also included the result of background investigation interviews of family, friends and colleagues. In a nutshell, China has the information the U.S. government uses to determine an individual’s suitability for access to classified information.
The U.S. Department of Justice (DoJ) indictment described the Chinese as “a sophisticated hacking group,” and described techniques such as “… sending of specially tailored ‘spearfishing’ emails with embedded hyperlinks to employees of the victim businesses. After a user accessed the hyperlink, a file was downloaded which, when executed, deployed malware that would compromise the user’s computer system by, in pertinent part, installing a tool known as a backdoor that would provide remote access to that computer system through a server controlled by the defendants.”
In other words, the hook was set within the targeted entity—Anthem and others—when an employee clicked on a spear-phishing email.
China’s Targeting Dossier
It is unknown at this time how many U.S. government employees have a complete targeting package sitting in the archives of the Chinese intelligence community. What we do know is the SF-86, background interviews and health information of an untold number are within that archive.
One can only hope U.S. National Counterintelligence Executive (NCIX) William R. Evanina has directed appropriate defensive action. In this case, the appropriate action would be to compare the identities of those whose personal and family health information was compromised in the China Anthem hack with the list of cleared U.S. government employees whose sensitive personal identifying information has been confirmed as compromised and create a third special issue listing.
Regardless of the number, be it one or 1 million, the NCIX should be putting together a defensive counterintelligence plan of action for those affected—one that doesn’t include the individuals being penalized for OPM’s and Anthem’s failure to protect the sensitive data with which they were entrusted. As every intelligence operations officer (regardless of nationality) knows, when one’s family is in a health crisis, the potential for a given target to be vulnerable to an approach that assists in ameliorating the health crisis is very real. The affected government employees, therefore, deserve to be protected.