China Targeting USG Employees Via Anthem Hack

The recent indictment of two Chinese nationals for the 2015 hack on Anthem that compromised more than 78 million health records, including 4 million U.S. government employees, moves the provenance of the intrusion from the theoretical to reality: China conducted the hack.

Simultaneously, China also hacked the U.S. Office of Personnel Management, which compromised as many as 20 million records containing the history of personnel who had applied for or been granted national security clearances.

China and Anthem

The fact that a nation-state, China, was behind the Anthem hack did not diminish the actions of the U.S. Department of Health and Human Services’ Office of Civil Rights, which forced the company to pay $16 million. The payment, a resolution amount, was part of a settlement that eclipsed the previous high of $5.55 million paid to OCR, in 2016. The October 2018 settlement also required Anthem to adopt a corrective action plan (CAP) in which the company would adjust its processes and procedures, to be observed by the HHS/OCR for \two years.

China and OPM

The OPM breach of 2015 compromised the content of the U.S. government’s security clearance database, which included the highly sensitive Standard Form 86. The compromised data also included the result of background investigation interviews of family, friends and colleagues. In a nutshell, China has the information the U.S. government uses to determine an individual’s suitability for access to classified information.

DOJ’s Response

The U.S. Department of Justice (DoJ) indictment described the Chinese as “a sophisticated hacking group,” and described techniques such as “… sending of specially tailored ‘spearfishing’ emails with embedded hyperlinks to employees of the victim businesses.  After a user accessed the hyperlink, a file was downloaded which, when executed, deployed malware that would compromise the user’s computer system by, in pertinent part, installing a tool known as a backdoor that would provide remote access to that computer system through a server controlled by the defendants.”

In other words, the hook was set within the targeted entity—Anthem and others—when an employee clicked on a spear-phishing email.

China’s Targeting Dossier

It is unknown at this time how many U.S. government employees have a complete targeting package sitting in the archives of the Chinese intelligence community. What we do know is the SF-86, background interviews and health information of an untold number are within that archive.

One can only hope U.S. National Counterintelligence Executive (NCIX) William R. Evanina has directed appropriate defensive action. In this case, the appropriate action would be to compare the identities of those whose personal and family health information was compromised in the China Anthem hack with the list of cleared U.S. government employees whose sensitive personal identifying information has been confirmed as compromised and create a third special issue listing.

Regardless of the number, be it one or 1 million, the NCIX should be putting together a defensive counterintelligence plan of action for those affected—one that doesn’t include the individuals being penalized for OPM’s and Anthem’s failure to protect the sensitive data with which they were entrusted. As every intelligence operations officer (regardless of nationality) knows, when one’s family is in a health crisis, the potential for a given target to be vulnerable to an approach that assists in ameliorating the health crisis is very real. The affected government employees, therefore, deserve to be protected.

Featured eBook
The Second Wave of IT Security: How Today’s Leaders See the Future

The Second Wave of IT Security: How Today’s Leaders See the Future

As network security issues grew in the 1970s, and the 1980s brought the widespread use of the internet, the IT security profession expanded to address the malicious threats and innocent user mistakes of highly connected users and machines. Today, the security industry is experiencing what could be called a renaissance of sorts. Security professionals are ... Read More
Security Boulevard

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 96 posts and counting.See all posts by burgesschristopher