{ "id": "ad24a4a8-6bbd-4fa8-a08c-5f163695a446", "created_at": "2026-04-06T00:10:41.300008Z", "updated_at": "2026-04-10T03:33:56.207368Z", "deleted_at": null, "sha1_hash": "02579039d868b3f0da05459afa6740c452d0f86c", "title": "Anthem Breach May Have Started in April 2014", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 746164, "plain_text": "Anthem Breach May Have Started in April 2014\r\nPublished: 2015-02-13 · Archived: 2026-04-02 10:34:52 UTC\r\nAnalysis of open source information on the cybercriminal infrastructure likely used to siphon 80 million Social\r\nSecurity numbers and other sensitive data from health insurance giant Anthem suggests the attackers may have\r\nfirst gained a foothold in April 2014, nine months before the company says it discovered the intrusion.\r\nThe Wall Street Journal reported last week that security experts involved in the ongoing forensics investigation\r\ninto the breach say the servers and attack tools used in the attack on Anthem bear the hallmark of a state-sponsored Chinese cyber espionage group known by a number of names, including “Deep Panda,” “Axiom,”\r\nGroup 72,” and the “Shell_Crew,” to name but a few.\r\nDeep Panda is the name given to this group by security firm CrowdStrike. In November 2014, Crowdstrike\r\npublished a snapshot of a graphic showing the malware and malicious Internet servers used in what security\r\nexperts at PriceWaterhouseCoopers dubbed the ScanBox Framework, a suite of tools that have been used to\r\nlaunch a number of cyber espionage attacks.\r\nA Maltego transform published by CrowdStrike. The graphic is intended to illustrate some tools and Internet\r\nservers thought to be closely tied to a Chinese cyber espionage group that CrowdStrike calls “Deep Panda.”\r\nCrowdstrike’s snapshot (produced with the visualization tool Maltego) lists many of the tools the company has\r\ncome to associate with activity linked to Deep Panda, including a password stealing Trojan horse program called\r\nDerusbi, and an Internet address — 198[dot]200[dot]45[dot]112.\r\nhttps://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/\r\nPage 1 of 6\n\nCrowdStrike’s image curiously redacts the resource tied to that Internet address (note the black box in the image\r\nabove), but a variety of open source records indicate that this particular address was until very recently the home\r\nfor a very interesting domain: we11point.com. The third and fourth characters in that domain name are the\r\nnumeral one, but it appears that whoever registered the domain was attempting to make it look like “Wellpoint,”\r\nthe former name of Anthem before the company changed its corporate name in late 2014.\r\nWe11point[dot]com was registered on April 21, 2014 to a bulk domain registration service in China. Eight\r\nminutes later, someone changed the site’s registration records to remove any trace of a connection to China.\r\nIntrigued by the fake Wellpoint domains, Rich Barger, chief information officer for Arlington, Va. security\r\nfirm ThreatConnect Inc., dug deeper into so-called “passive DNS” records — historic records of the mapping\r\nbetween numeric Internet addresses and domain names. That digging revealed a host of other subdomains tied to\r\nthe suspicious we11point[dot]com site. In the process, Barger discovered that these subdomains\r\n— including myhr.we11point[dot]com, and hrsolutions.we11point[dot]com – mimicked components of Wellpoint’s\r\nactual network as it existed in April 2014.\r\n“We were able to verify that the evil we11point infrastructure is constructed to masquerade as legitimate Wellpoint\r\ninfrastructure,” Barger said.\r\nAnother fishy subdomain that Barger discovered was extcitrix.we11point[dot]com. The “citrix” portion of that\r\ndomain likely refers to Citrix, a software tool that many large corporations commonly use to allow employees\r\nremote access to internal networks over a virtual private network (VPN).\r\nInterestingly, that extcitrix.we11point[dot]com domain, first put online on April 22, 2014, was referenced in a\r\nmalware scan from a malicious file that someone uploaded to malware scanning service Virustotal.com.\r\nAccording to the writeup on that malware, it appears to be a backdoor program masquerading as Citrix VPN\r\nsoftware. The malware is digitally signed with a certificate issued to an organization called DTOPTOOLZ Co.\r\nAccording to CrowdStrike and other security firms, that digital signature is the calling card of the Deep Panda\r\nChinese espionage group.\r\nCONNECTIONS TO OTHER VICTIMS?\r\nAs noted in a story in HealthITSecurity.com, Anthem has been sharing information about the attack with the\r\nHealth Information Trust Alliance (HITRUST) and the National Health Information Sharing and Analysis\r\nCenter (NH-ISAC), industry groups whose mission is to disseminate information about cyber threats to the\r\nhealthcare industry.\r\nA news alert published by HITRUST last week notes that Anthem has been sharing so-called “indicators of\r\ncompromise” (IOCs) — Internet addresses, malware signatures and other information associated with the breach.\r\n“It was quickly determined that the IOCs were not found by other organizations across the industry and this attack\r\nwas targeted a specific organization,” HITRUST wrote in its alert. “Upon further investigation and analysis it is\r\nbelieved to be a targeted advanced persistent threat (APT) actor. With that information, HITRUST determined it\r\nwas not necessary to issue a broad industry alert.”\r\nhttps://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/\r\nPage 2 of 6\n\nAn alert released by the Health Information Trust Alliance (HITRUST) about the APT attack on Anthem.\r\nBut a variety of data points suggest that the same infrastructure used to attack Anthem may have been\r\nleveraged against a Reston, Va.-based information technology firm that primarily serves the Department of\r\nDefense.\r\nA writeup on a piece of malware that Symantec calls “Mivast” was produced on Feb. 6, 2015. It describes a\r\nbackdoor Trojan that Symantec says may call out to one of a half-dozen domains, including the aforementioned\r\nextcitrix.we11point[dot]com domain and another — sharepoint-vaeit.com. Other domains on the same server\r\ninclude ssl-vaeit.com, and wiki-vaeit.com. Once again, it appears that we have a malware sample calling home to\r\na domain designed to mimic the internal network of an organization — most likely VAE Inc. (whose legitimate\r\ndomain is vaeit.com).\r\nBarger and his team at ThreatConnect discovered that the sharepoint-vaeit.com domain also was tied to a malware\r\nsample made to look like it was VPN software made by networking giant Juniper. That malware was created in\r\nMay 2014, and was also signed with the DTOPTOOLZ Co. digital certificate that CrowdStrike has tied to Deep\r\nPanda.\r\nhttps://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/\r\nPage 3 of 6\n\nIn response to an inquiry from KrebsOnSecurity, VAE said it detected a targeted phishing attack in May 2014 that\r\nused malware which phoned home to those domains, but the company said it was not aware of any successful\r\ncompromise of its users.\r\nIn any case, the Symantec writeup on Mivast also says the malware tries to contact the Internet address\r\n192[dot]199[dot]254[dot]126, which resolved to just one Web domain: topsec2014[dot]com. That domain was\r\nregistered on May 6, 2014 to a bulk domain reseller who immediately changed the registration records and\r\nassigned the domain to the email address topsec_2014@163.com. That address appears to be the personal email\r\nof one Song Yubo, a professor with the Information Security Research Center at the Southeast University in\r\nNanjing, Jiangsu, China.\r\nYubo and his university were named in a March 2012 report, “Occupying the Information High Ground: Chinese\r\nCapabilities for Computer Network Operations and Cyber Espionage,” (PDF) produced by U.S. defense\r\ncontractor Northrop Grumman Corp. for the U.S.-China Economic and Security Review Commission.\r\nAccording to the report, Yubo’s center is one of a handful of civilian universities in China that receive funding\r\nfrom the Chinese government to conduct sensitive research and development with information security and\r\ninformation warfare applications.\r\nANALYSIS\r\nOf course, it could well be that this is all a strange coincidence, and/or that the basic information on Deep Panda is\r\nflawed. But that seems unlikely given the number of connections and patterns emerging in just this small data set.\r\nIt’s remarkable that the security industry so seldom learns from past mistakes. For example, one of the more\r\nconfounding and long-running problems in the field of malware detection and prevention is the proliferation of\r\nhttps://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/\r\nPage 4 of 6\n\nvarying names for the same threat. We’re seeing this once again with the nicknames assigned to various\r\ncyberespionage groups (see the second paragraph of this story for examples).\r\nIt’s also incredible that so many companies could see the outlines of a threat against such a huge target, and that it\r\ntook until just this past week for the target to become aware of it. For its part, ThreatConnect tweeted about its\r\nfindings back in November 2014, and shared the information out to its user base.\r\nCrowdStrike declined to confirm whether the resource blanked out in the above pictured graphic from November\r\n2014 was in fact we11point[dot]com.\r\n“What I can tell you is that this domain is a Deep Panda domain, and that we always try to alert victims whenever\r\nwe discover them,” said Dmitri Alperovitch, co-founder of CrowdStrike.\r\nAlso, it’s myopic for an industry information sharing and analysis center (ISAC) to decide not to share indicators\r\nof compromise with other industry ISACs, let alone its own members. This should not be a siloed effort.\r\nSomehow, we need to figure out a better — more timely way — to share threat intelligence and information across\r\nindustries.\r\nPerhaps the answer is crowdsourcing threat intelligence, or maybe it’s something we haven’t thought of yet. But\r\none thing is clear: there is a yawning gap between the time it takes for an adversary to compromise a target and the\r\nlength of time that typically passes before the victim figures out they’ve been had.\r\nThe most staggering and telling statistic included in Verizon’s 2014 Data Breach Investigations Report (well worth\r\na read) is the graphic showing the difference between the “time to compromise” and the “time to discovery.”\r\nTL;DR: That gap is not improving, but instead is widening.\r\nhttps://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/\r\nPage 5 of 6\n\nThen again, maybe this breach at Anthem isn’t as bad as it seems. After all, if the above data and pundits are to be\r\nbelieved, the attackers were likely looking for a needle in a haystack — searching for data on a few individuals\r\nthat might give Chinese spies a way to better siphon military technology or infiltrate some U.S. defense program.\r\nPerhaps, as Barger wryly observed, the Anthem breach was little more than the product of a class assignment —\r\nalbeit an expensive and aggravating one for Anthem and its 80 million affected members. In May 2014, the\r\naforementioned Southeast University Professor Song Yubo posted a “Talent Cup” tournament challenge to his\r\ninformation security students.\r\n“Just as the OSS [Office of Strategic Services] and CIA used professors to recruit spies, it could be that this was\r\nall just a class project,” Barger mused.\r\nSource: https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/\r\nhttps://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/" ], "report_names": [ "anthem-breach-may-have-started-in-april-2014" ], "threat_actors": [ { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434241, "ts_updated_at": 1775792036, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/02579039d868b3f0da05459afa6740c452d0f86c.pdf", "text": "https://archive.orkl.eu/02579039d868b3f0da05459afa6740c452d0f86c.txt", "img": "https://archive.orkl.eu/02579039d868b3f0da05459afa6740c452d0f86c.jpg" } }