On May 9, 2019, a federal grand jury unsealed an indictment of two members of a Chinese hacking group charged with a series of computer intrusions, including their involvement in the 2015 data breach at Anthem Inc., which affected the data of over 78 million people.
In an announcement by the Justice Department’s Criminal Division, the FBI’s Cyber Division, and the U.S. Attorney for the Southern District of Indiana (the state where Anthem is headquartered), the FBI announced that the four-count indictment alleges that Fujie Wang and other members of the hacking group, including one individual charged as John Doe, conducted a campaign of intrusions into U.S. based computer systems, including Anthem’s systems and those of three other businesses, in activity dating back to February 2014.
While the indictment does not name the three other businesses, they FBI noted that the attacks targeted four distinct sectors, including healthcare, technology, basic materials, and communications.
The indictment alleges that the actors used sophisticated techniques to hack into the victim businesses, then installed malware and other tools to further compromise the networks and steal personally identifiable information and confidential business information.
According to the indictment, the actors would send employees targeted spear-phishing emails with embedded links, which would introduce malware into the victim systems and allow the attackers to install a backdoor, providing them with remote access into the systems. The attackers would then conduct reconnaissance, often over the course of several months. In the case of Anthem, the indictment notes that the actors accessed the network for the purpose of conducting reconnaissance on Anthem’s ‘enterprise data warehouse,’ a system that stores a large amount of personal information. The actors would then collect files using software tools, place the data into encrypted archive files, and send the data back to China. Following exfiltration, the actors would then delete the encrypted archive files from the computer networks in order to reduce any evidence of the intrusion.
Notably, the indictment is one of several from DOJ in recent months against Chinese nationals alleged to have been involved in attacks on American companies. However, unlike several of the previous indictments, the most recent indictment does not mention any connection to the Chinese state government, and instead only mentions that the attackers were part of a sophisticated China-based hacking group.