An unprecedented attack on the second-largest U.S. health insurance company may have started in April 2014, much earlier than previously thought.
An analysis published Monday by noted cybersecurity expert and journalist Brian Krebs digs deeper into allegations that the Anthem attack was conducted by a state-sponsored Chinese hacker group known by U.S. experts as “Deep Panda.”
{mosads}By tracing the tools, Internet addresses and domain names associated with the group, Krebs discovered a pattern of connections that suggests “Deep Panda” was creating subdomains as early as April 2014 to mimic pieces of Anthem’s Web network.
At the time, Anthem was called Wellpoint. The investigation by Krebs and others discovered a series of connected domain names that appear to imitate actual Wellpoint sites, including we11point.com and myhr.we11point.com.
“We were able to verify that the evil we11point infrastructure is constructed to masquerade as legitimate Wellpoint infrastructure,” Rich Barger, chief information officer for security firm ThreatConnect, told Krebs’s blog, “Krebs on Security.”
That these sites were under construction as early as last April raises questions about why it took nine months for Anthem to say it had discovered the hack. At the same time, it is not unusual for companies not to realize their systems have been breached for months at a time.
The Anthem attack appears to have comprised the personal data, including Social Security numbers, of as many as 80 million people.