“Amazing”, “extreme”, “one of the coolest things I’ve ever seen.” These were the words of a cyber forensics expert who was tasked with investigating the biggest breach of an insurance company in history. Respectively, these words describe the operational security, stealth tactics, and malware engineering of the group that stole the personal information of almost 79 million policyholders in the US in 2015. The forensic team claim that 1000 boxes were infected, and roughly 7000 MD5 hashes (distinct file identifying numbers) were assigned to the ever-changing malware used to conduct the breach. What the details of this breach show is that the insurance sector has become a particularly attractive target for well-resourced and highly skilled cybercriminals.
One aspect of the insurance sector that makes it vulnerable to cyber attacks is its widely distributed and interconnected nature. Insurers are often connected to financial service organisations, brokers, other insurers, and policyholders. This makes the attack surface for an insurance firm dangerously high, and reaffirms the adage: the whole is as strong as its weakest part. Shared systems, processes and personnel that contain vulnerabilities can leave an insurance firm’s vital data exposed.
On a related note, research by the International Association of Insurance supervisors (IAIS) indicates that security practices in many of its members’ IT infrastructures is inadequate. The report claims that many insurance organisations do not maintain a grasp of the intricacies of their infrastructure and the flow of data between the “IT systems, applications, and components”. If this data flow moves from a system with high protection to a system with low protection, that information is vulnerable.
The report refers to other frailties in insurance firms’ security practices, the most glaring of which is a disregard for appropriate user access controls. This includes allowing certain accounts a high level of privileged access where it is not necessary, and a failure to recognise when an account no longer needs these privileges (both of which breeds the possibility of insider attacks).
Not only this, but the IAIS also noticed an improper use of “superuser” accounts. These are the Holy Grail for cyber criminals attempting to gain access to the most precious of data held by an organisation. These accounts give the user complete control over the entire system, including access to all data storage, and the ability to delete log files (to mask criminal activity) and disable security measures.
Indeed, the cyber criminals that breached Anthem accessed millions of records specifically because they could escalate their privileges to a level that granted them access to the company’s “enterprise data warehouse”, where Anthem stored a large amount of personally identifiable information (PII). It is highly likely that they used additional tools to help them escalate privileges, however, it is also likely that they exploited unnecessarily high privileges assigned to users.
Anthem attack timeline:
In addition to the security vulnerabilities that come from a highly interconnected industry, the real vulnerability comes from the value of the data held by insurance firms. Firms collect, process, and store large amounts of information on policyholders, other insurers, etc., which is likely to include banking information, and other confidential details. As a health insurer, the records stolen from Anthem included social security numbers, policy details, and health issues. In the wrong hands, this information gives rise to the possibility of extortion, fraud, identity theft, and ammunition for spear-phishing attacks.
Naturally, when thinking about large stockpiles of confidential data, one cannot help but raise the prospect of ransomware and the kind of damage it can do to an organisation, either reputationally or financially. If an attacker could exploit the weaknesses stated above and spread ransomware to core repositories of data, including backups, the potential pay-out could be huge.
Information held by insurance firms on their higher profile clients may also be an attractive target for foreign and domestic competitors. Business information and details regarding intellectual property required by insurance firms to offer a policy may be highly valuable to a competitor. On a related note, for cyber insurance, this will undoubtedly require the divulgence of the inner workings of their networks, which would be highly beneficial for any hackers seeking to compromise the client system.
With trust being the cornerstone of the insurance sector, a cyber attack could severely damage the reputation of a firm. If a malicious foreign power was seeking to undermine confidence in insurance services in a country, an attack that leaks sensitive client information could ruin a firm’s long term prospects. Anthem’s share price fell sharply following the news of the breach, and the damage caused has been described as “irreversible”.
Cyber criminals will follow the path of least resistance when attacking an organisation. Moreover, unless your firm is deemed to be an extremely valuable target, it is unlikely to be the only target on a list – your clients could be targeted too. If you can understand the tactics, techniques and procedures of cyber criminals and even nation state actors, you will be able to better bolster the IT defences of your company.
The attack on Anthem began the same way as most cyber breaches: via a phishing email. Part of the problem thus boils down to human awareness. Intelligence programmes not only highlight your digital footprint and threat actors’ capabilities, but also, if disseminated correctly, can raise employee awareness, and strengthen the first line of defence against cyber intrusions.