ChiCom Hacker Indicted In Anthem Insurance Breach Involving 78 Million People

May 13, 2019 - San Francisco, CA - -A federal grand jury returned an indictment unsealed on May 9 in Indianapolis, Indiana. Charged was a Chinese national, part of an extremely sophisticated hacking group operating in China and targeting large businesses in the United States, including a computer intrusion and data breach of Indianapolis-based health insurer Anthem Inc. (Anthem).

Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division, U.S. Attorney Josh Minkler for the Southern District of Indiana, Assistant Director Matt Gorham of the FBI’s Cyber Division and Special Agent in Charge Grant Mendenhall of the FBI’s Indianapolis Field office made the announcement.

The four-count indictment alleges that Fujie Wang (王福杰in Chinese Hanzi), 32, and other members of the hacking group, including another individual charged as John Doe, conducted a campaign of intrusions into U.S.-based computer systems.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their PII. The Department of Justice and our law enforcement partners are committed to protecting PII, and will aggressively prosecute perpetrators of hacking schemes like this, wherever they occur…This case is significant not only because it showcases the FBI’s cyber investigative capabilities, but also because it highlights the importance of FBI and private industry relationships.”

The indictment further alleges that the defendants then collected files and other information from the compromised computers and then stole this data. As part of the computer intrusion and data breach of Anthem, the defendants identified and ultimately stole data concerning approximately 78.8 million persons from Anthem’s computer network, including names, health identification numbers, dates of birth, Social Security numbers, addresses, telephone numbers, email addresses, employment information and income data, according to the indictment.

Wang and Doe are charged with one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two substantive counts of intentional damage to a protected computer.

The indictment further alleges that once the data of interest had been identified and located, the defendants then collected the relevant files and other information from the compromised computers using software tools. The defendants then allegedly stole the data of interest by placing it into encrypted archive files and then sending it through multiple computers to destinations in China. The indictment alleges that on multiple occasions in January 2015, the defendants accessed the computer network of Anthem, accessed Anthem’s enterprise data warehouse, and transferred encrypted archive files containing PII from Anthem’s enterprise data warehouse from the United States to China.

Finally, the defendants allegedly then deleted the encrypted archive files from the computer networks of the victim businesses, in an attempt to avoid detection. In late January 2015, the defendants deleted certain archive files containing PII that they had previously transferred from Anthem’s enterprise data warehouse.

Defendant Wang is specifically alleged to have controlled two domain names connected to the criminal activity. According to the indictment, one of these domain names was associated with a backdoor used in the intrusion victimizing Victim Business 1, and the other was associated by Wang with a server used to create an email account used to conduct spearfishing attacks against employees of Victim Business 3.

This case was investigated by the FBI’s Indianapolis Field Office. Senior Counsel William A. Hall, Jr. of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney and Deputy Chief of the General Crimes Unit Steven D. DeBrota of the Southern District of Indiana are prosecuting the case. Significant assistance was provided by the Justice Department’s National Security Division and the Criminal Division’s Office of International Affairs.

©2019 LLC. All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the author except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law