The China-based hackers suspected of pilfering 4 million federal employees’ records were also behind the mammoth cyberattacks on health insurers Anthem and Premera Blue Cross, according to researchers.
Before the Office of Personnel Management (OPM) hack was revealed Thursday, security firm iSight had already noticed technical indicators showing that the group might also have OPM on its radar. Researchers have since identified strategic similarities between the incidents.
{mosads}The attacks are all part of a broad digital espionage campaign focused not on making a quick buck but on gathering data on high-level U.S. officials. Many researchers and government officials suspect Beijing is orchestrating the scheme.
“We believe that they’re taking this data as a means to an end,” said John Hultquist, iSight’s the senior manager of online espionage threat intelligence, who declined to blame China for the hacks. “It’s a means to getting more strategic information or gaining access to other places.”
The cyberattack that felled Anthem exposed 80 million customers’ data, including Social Security numbers, the largest healthcare data breach to date. Weeks later, another breach at Premera Blue Cross laid bare another 12 million peoples’ records.
But investigators believed the motives were less about gathering troves of data to sell on the dark Web and more about gathering intel on valuable espionage targets, such as defense contractors and government workers.
Notably, the leaked Anthem and Premera data has not really been monetized on the dark Web, Hultquist said.
Instead, the hackers may have wanted to use that data to access those individuals’ sensitive accounts or to craft realistic looking emails with malicious links to target officials with so-called “phishing” attacks.
“They may have the information to impersonate them or may be even able to exploit them based on the fact that they have some sensitive information,” Hultquist said.
He sees the same pattern emerging in the OPM breach, which also exposed personally identifiable information.
“They have a tremendous amount of stepping stones they can use for further activity,” he said.
But what exactly that further activity is remains to be seen.
The hackers could even use the pilfered data to send fake, malware-laden breach notification emails to the victims of the OPM intrusion. The agency said it would start sending out notifications next week.
“Very possible,” Hultquist said.