{ "id": "6c01ba75-3da3-4de6-9800-dbaa60b444f7", "created_at": "2026-04-06T00:19:16.123033Z", "updated_at": "2026-04-10T03:33:22.388592Z", "deleted_at": null, "sha1_hash": "0383b78d3a8e9951a9124ea85a3e083606a94f11", "title": "The Anthem Hack: All Roads Lead to China | ThreatConnect", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3076583, "plain_text": "The Anthem Hack: All Roads Lead to China | ThreatConnect\r\nBy ThreatConnect\r\nPublished: 2015-02-27 · Archived: 2026-04-05 19:34:51 UTC\r\nWhen news of the Anthem breach was reported on February 4th, 2015, the security industry quite understandably\r\nwent wild. A breach of this magnitude was certainly unprecedented.  Naturally, many industry professionals were\r\nkeenly interested in digging into this incident to see what could be uncovered, and the research team at\r\nThreatConnect was no exception.  Thanks to our powerful API and third-party partner integrations, we were able\r\nto use ThreatConnect to quickly uncover a wealth of intelligence even when initially hindered by a relative lack of\r\ninvestigative lead information and context, a key requirement of any Threat Intelligence Platform (TIP). However,\r\nbefore we delve into what we were able to uncover, let’s briefly review the facts as they stood in the wake of the\r\ninitial discovery announcement.\r\nWhat We Know:                                                                                                                \r\n                                    \r\nOn the morning of February 4th, 2015, several major news outlets broke the story that Anthem, Inc.’s\r\nnetwork defenses had been breached. According to a statement from Anthem’s CEO, the company fell\r\nvictim to a “very sophisticated external cyber attack,” and the hackers “obtained” the personally\r\nidentifiable information (PII) of approximately 80M customers.  This included social security numbers,\r\nbirthdays, street addresses, phone numbers and income data – plenty of information to enable identity\r\ntheft. This was a significant event for several reasons:\r\nAnthem, formerly known as Wellpoint, is the largest managed healthcare company in the Blue Cross Blue\r\nShield Association, and by extension, one of the largest healthcare organizations in the United States.  As\r\nsuch, any compromise, no matter how insignificant, would likely impact countless individuals.\r\nBlue Cross Blue Shield provides healthcare coverage for about half the U.S. federal workforce.  This\r\nmeans that their information was potentially compromised too.\r\nUnlike the Sony hack which was destructive in nature and meant to send a message for coercive purposes,\r\nthe Anthem compromise was purportedly very covert, a fact which may suggest something about the\r\nadversary’s motives.\r\nAs of late February 2015, there have not been any indications that the exfiltrated PII data was immediately\r\ncommoditized on the black market for the purpose of enabling identity theft, as was the case in the Home\r\nDepot Breach.\r\nFilling the Gaps:\r\nObviously, these high-level observations do not provide cybersecurity researchers a great deal of information to\r\nwork with. However, when presented within the context of a Threat Intelligence Platform (TIP), an incomplete\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 1 of 16\n\ntrail of evidence can highlight intelligence gaps, a study of which can orient threat researchers towards their\r\nanalytic objectives.  To this end, let’s examine what we wanted to discover in the context of the Anthem breach:\r\nWho was responsible for the attack?\r\nWhat was the objective of the attack?  Was it cyber theft, an espionage operation, or something different?\r\nWho was targeted in the attack?  The answer to this question, obscured as it may be, would likely shed\r\nsome light on the objective of the breach.\r\nWhat was the timeline of the activity?\r\nThe real power of a Threat Intelligence Platform is demonstrated when you are able to collect and maintain a\r\nrobust dataset of threat indicators, both past and present, which can help orient you in the right direction in the\r\nwake of a newly discovered breach.  Even when you do not have a good deal of information to start with (for\r\nexample a file hash, or an IP address), you may find leads by pivoting through archived datasets until you uncover\r\nkey pieces of the puzzle.  In the case of the Anthem breach, we were able to do just that.\r\nAnthem Themed Infrastructure \u0026 Signed Malware:\r\nIn September 2014, the ThreatConnect Research Team observed a variant of the Derusbi APT malware family,\r\nMD5: 0A9545F9FC7A6D8596CF07A59F400FD3, which was signed by a valid digital signature from the Korean\r\ncompany DTOPTOOLZ Co. Derusbi is a family of malware used by multiple actor groups but associated\r\nexclusively with Chinese APT. ThreatConnect Research began tracking the DTOPTOOLZ signature for additional\r\nsigned malware samples and memorialized them within our Threat Intelligence Platform over time.\r\nAnalyst Comment: The DTOPTOOLZ signature has also been observed in association with Korean Adware that is\r\naffiliated with the actual DTOPTOOLZ Co. This adware should not be confused with the APT malware that is\r\nabusing the same digital signature.\r\nLater, in mid-November we discovered another implant that was digitally signed with the DTOPTOOLZ\r\nsignature. This implant, MD5: 98721c78dfbf8a45d152a888c804427c, was from the “Sakula” (aka. Sakurel)\r\nfamily of malware, a known variant of the Derusbi backdoor, and was configured to communicate with the\r\nmalicious command and control (C2) domains extcitrix.we11point[.]com and www.we11point[.]com. Through our\r\nFarsight  Security passive DNS integration, we uncovered that this malicious infrastructure was likely named in\r\nsuch a way to impersonate the legitimate Wellpoint IT infrastructure.\r\nPassive DNS and historic DomainTools Whois data also provided insights that helped establish an initial timeline\r\ndating back to April 2014, when the faux domains came into existence and were later operationalized by the\r\nattackers. A Threat Intelligence Platform should allow for analysts to easily put together and organize such\r\ninsights, collaborate around relevant analysis internally, and share the finished analysis with external industry\r\ngroups and organizations. In the hopes that our community members could benefit from or provide further insight\r\ninto this suspicious incident, we immediately shared our threat intelligence including indicators, signatures and\r\nanalytical context to the ThreatConnect Medical and Health Community on November 13, 2014. This included\r\nsending out a notification to all stakeholders as well as our followers on Twitter.\r\nWhen the Anthem breach later came to light in early February, we re-shared the signatures, indicators and context\r\nfreely to the entire ThreatConnect user base. As we dug further, we expanded our understanding of the malicious\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 2 of 16\n\nwe11point[.]com infrastructure, taking particular interest to the subdomains such as “extcitrix.we11point[.]com\r\nand “hrsolutions.we11point[.]com”. Note the “citrix”  and “hr” (human resources) prefixes that the adversary used\r\nto mirror legitimate remote infrastructure and employee benefits resources in the May 2014 timeframe. This\r\nprovided initial insights as to the likely targeting themes and or vectors in which the adversary may have used\r\nwhen initiating their targeting campaign.\r\nThe fact that the malicious infrastructure closely mirrored other legitimate Wellpoint infrastructure supported our\r\nhypothesis that the Derusbi / Sakula malware was configured to operate and persist within a specific target\r\nenterprise.\r\nPossible Premera Blue Cross Infrastructure:\r\nRetrospective analysis of other targeted malware samples using the DTOPTOOLZ Co. digital signature led to the\r\nidentification of an “HttpBrowser” / “HttpDump” implant MD5: 02FAB24461956458D70AEED1A028EB9C\r\n(OpenOfficePlugin.exe), which was first observed on December 11, 2013. Although this malware sample is not\r\nDerusbi / Sakula, it too is strongly believed to be associated with Chinese APT activity and in fact may have also\r\nbeen involved in a Blue Cross Blue Shield targeting campaign as early as December 2013.\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 3 of 16\n\nThis particular binary is configured to connect to the static IP address 142.91.76[.]134. Passive DNS of this IP\r\nindicates that on December 11th, 2013, the same date as the malware sample was observed, the domain\r\nprennera[.]com also resolved to 142.91.76[.]134. It is believed that the prennera[.]com domain may have been\r\nimpersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character\r\nreplacement technique by replacing the “m” with two “n” characters within the faux domain, the same technique\r\nthat would be seen five months later with the we11point[.]com command and control infrastructure.\r\nSection Summary:\r\nThe Derusbi / Sakula malware implant types are unique in that they have traditionally been seen within\r\nChinese APT espionage campaigns.\r\nThe “HttpBrowser” / “HttpDump” malware implant (while a different family of malware than Derusbi /\r\nSakula) is also believed to be of Chinese origin, and was also digitally signed with the DTOPTOOLZ\r\ndigitalsignature. This implant connected to a C2 node that overlapped with prennera[.]com.\r\nWe believe that the prennera[.]com domain may be impersonating Premera Blue Cross (premera.com),\r\nusing a similar character replacement technique seen in the we11point[.]com campaign.\r\nMATURING A THREAT INTELLIGENCE PROGRAM\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 4 of 16\n\nVAE Inc. Themed Infrastructure \u0026 Signed Malware\r\nAnother powerful attribute of ThreatConnect is the ability for analysts to logically group items such as atomic\r\nindicators, related documents or signatures, all of which may include individualized custom context enrichments\r\nand associations. Over time, the ability to memorialize groupings of related or like activity allows analysts to\r\nquickly uncover non-obvious relationships within their private datasets. This is exactly what happened as we\r\ncontinued to investigate these incidents.\r\nAs industry analysts and media speculated Chinese APT involvement in the Anthem breach, our focus into the\r\nDerusbi / Sakula malware signed with the DTOPTOOLZ Co. digital signature shifted from the we11point[.]com\r\nincident to another cluster of activity that occurred later in May 2014. We immediately reviewed Incident\r\n20140526B: vaeit APT, an incident that we initially shared to our Subscriber Community on September 29, 2014\r\nafter conducting retrospective analysis.  \r\nJust as was the case with the we11point[.]com and prennera[.]com incidents, the VAE, Inc. incident is also\r\nbelieved to be associated with Chinese APT espionage activity. In this case the adversary also used Derusbi /\r\nSakula malware that was signed with the DTOPTOOLZ Co. digital signature and configured to communicate with\r\nfaux infrastructure appearing to be masquerading as internal resources for the Department of Defense Contractor\r\nVAE, Inc. Additionally, in response to an inquiry from KrebsOnSecurity, VAE, Inc. would later confirm that it had\r\nindeed been a target of a failed spearphishing attempt in May 2014 which used the malicious faux VAE, Inc.\r\nthemed domain.\r\nThe targeted incident relied upon the Sakula executable MD5: 230D8A7A60A07DF28A291B13DDF3351F which\r\nhad a XOR 0x9A encoded C2 callbacks to the IP address 192.199.254[.]126 (registered to Wehostwebsites[.]com\r\n– “Tom Yu” of Baoan, Shenzhen City, Guangdong Province, China) as well as a hardcoded callback to sharepoint-vaeit[.]com. Passive DNS of the static C2 IP 192.199.254[.]126 revealed a single suspicious domain of interest –\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 5 of 16\n\ntopsec2014[.]com.  This domain had historic resolution around May 8, 2014 within a month of the first observed\r\nSakula activity using the IP 192.199.254[.]126 as C2.\r\nUsing historic Whois, we discovered that topsec2014[.]com was initially registered by\r\nli2384826402@yahoo[.]com on May 6th, 2014. Although the li2384826402@yahoo[.]com registrant is likely a\r\nreseller given that it has been observed registering several thousands of other domains, the fact that it was used to\r\nregister both the faux VAE, Inc. C2 infrastructure and the overlapping domain topsec2014[.]com within the same\r\nmonth suggests that there may be a relationship between the client of the reseller for the VAE, Inc. infrastructure\r\nand the client for topsec2014[.]com.\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 6 of 16\n\nJust four minutes after the initial registration of topsec2014[.]com, the Whois records were updated from the\r\ninitial registrant, Li Ning – li2384826402@yahoo[.]com to TopSec China – TopSec_2014@163[.]com.  This\r\ndomain record has been unchanged since May 7th 2014. The we11point[.]com infrastructure and by extension the\r\nfaux VAE Inc. infrastructure is associated with Cluster 2 of the ScanBox framework by PwC. The latest PwC\r\nupdate to ScanBox states that there are “links between the domain allegedly used in the Anthem hack\r\n(we11point.com) to Cluster 2 through shared WHOIS details.”\r\nOPM Themed Infrastructure\r\nOne notable pattern was how the domain Whois registration information for the VAE, Inc. themed infrastructure\r\nwas quickly updated and obfuscated with pseudorandom 10 character gmx.com email addresses and using the\r\nnames of various comic book characters from the Iron Man franchise. This comic-themed naming convention has\r\nbeen previously documented by our friends at Crowdstrike in what they characterize as being associated with a\r\nChinese APT group they have dubbed “Deep Panda”.\r\nLeveraging our DomainTools partnership, we were able to correlate the outlier domain opm-learning[.]org. This\r\ndomain was also purportedly registered by the Iron Man movie hero “Tony Stark” on July 28, 2014. This\r\ninfrastructure naming convention suggests a possible Office of Personnel Management (OPM) theme. However, in\r\nthis case we lacked any specific sample of malware to verify our initial suspicions that this infrastructure was\r\noperational. The possible OPM reference in the domain name is noteworthy considering it was revealed in July of\r\n2014 that OPM had been compromised by a likely state-sponsored Chinese actor in mid-March of that year. The\r\nfact this domain was registered after the breach occurred suggests that OPM could be an ongoing direct target of\r\nChinese state-sponsored cyber espionage activity.\r\nOur attention then turned to the FBI Flash Report A-000049-MW that was publicly reported by Brian Krebs on\r\nFebruary 6th, 2015. This FBI Flash Report was issued on January 27th, 2015, the same day an Anthem\r\nadministrator detected suspicious activity according to an internal memo. This memo goes on to indicate that the\r\nFBI would not be party to the Anthem breach until they were notified on January 29th, 2015; based on these facts\r\nwe assess with high confidence that it is very unlikely that the FBI Flash Report was directly related to the\r\nAnthem breach. Rather, we suspect that the FBI flash report likely references the USIS breach that was announced\r\non August 6, 2014, or the previous OPM breach, considering the statement that the breach involved “compromised\r\nand stolen sensitive business information and Personally Identifiable Information (PII) from US commercial and\r\ngovernment networks through cyber espionage.”\r\nThe malware referenced within the FBI Report is associated with a Derusbi backdoor subvariant named\r\n“InfoAdmin” / “Kakfum” where the FBI specifically references open source reporting of “Deep Panda” as being\r\nrelated to the malware observed in the attack. The malicious infrastructure highlighted in the report are the\r\ndomains images.googlewebcache[.]com and smtp.outlookssl[.]com. Both of these top level domains were\r\nincluded with other related domains, all of which were shared on September 16th, 2013 to the ThreatConnect\r\nSubscriber Community in Incident 20130823C: Some.Trouble APT Domains, roughly a year and half prior to the\r\nFBI Flash report.\r\nIt is important to mention that both the domains images.googlewebcache[.]com and smtp.outlookssl[.]comas were\r\nalso previously identified in an October 2014 PwC blog post as seen within Cluster 1 of the Scanbox framework,\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 7 of 16\n\nwhile the Sakula activity with we11point and VAEIT is contained within Cluster 2 of that report. This implies that\r\nthe actor referenced within the FBI Flash report uses shared capabilities (in this case the ScanBox kit) with the\r\nSakula / we11point actor.\r\nSection Summary:\r\nThe Derusbi / Sakula malware seen in both the we11point[.]com and VAE Inc. campaigns were structurally\r\nthe same and digitally signed with the DTOPTOOLZ signature.\r\nThe emerging theme is that this particular signature and family of malware is highly indicative of a\r\nparticular Chinese APT activity.\r\nWithin this web of malicious infrastructure, there is an interesting overlap with the topsec2014[.]com\r\ndomain and attack infrastructure.\r\nThreatConnect Research identified a domain opm-learning[.]org that had a similar superhero themed\r\nWHOIS registrant to the Sakula / VAE Inc. infrastructure. The possible OPM reference is noteworthy\r\nconsidering the Office of Personnel Management (OPM) was compromised in March 2014. Additionally,\r\nan FBI Flash Report 0000-49MW referenced indicators that were possibly associated with the USIS hack\r\nand a Derusbi variant called “Kakfum” / “InfoAdmin”. Both the FBI Flash infrastructure and the Sakula /\r\nVAE Inc. infrastructure are tied to the capability usage of the ScanBox framework, residing in Clusters 1\r\nand 2 respectively.\r\nUnveiling Song Yubo and Southeast University:\r\nThe Professor\r\nWe conducted open source research in pursuit of further information on the TopSec_2014@163[.]com email\r\nregistrant.  A keyword search returned several results for “topsec2014@163[.]com” in association with a number\r\nof academic institutions in Nanjing, China.  Although the email address wasn’t an exact match to the\r\ntopsec2014[.]com domain registrant (notice the absence of the underscore), such a similarity warranted further\r\ninvestigation.\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 8 of 16\n\nWe examined the links for any relevant intelligence, and discovered that nearly all of the search results led to\r\npages that contained an announcement for an information security competition sponsored by the Southeast\r\nUniversity-Topsec Information Security and Mobile Internet Technology Joint Research Center.  This entity\r\nappears to be a joint research venture between the University and Chinese networking giant Beijing Topsec\r\nNetwork Security Technology Co., a.k.a. Beijing Topsec.\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 9 of 16\n\nThe announcements list a Professor “Song Yubo” as the point of contact for the event, and directs interested\r\nparties to his email address, topsec2014@163[.]com, for further questions.\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 10 of 16\n\nAccording to his LinkedIn page, Song is a Teacher at the Southeast University, specifically interested in the field\r\nof telecommunications. Additionally, he is an avid researcher, and has published numerous academic papers on\r\ncomputer network exploitation on various e-journal publication sites, such as Google Scholar. Further, he lists\r\nskills such as “cryptography,” “penetration testing” and “computer network security,” etc. on his Research Gate\r\nprofile.\r\nAs we continued to develop a profile on Professor Song, we began to have the sense that his interest in\r\ninformation security research strongly overlapped with that of someone who might be interested in or at least\r\ncapable of conducting sophisticated cyber attacks. However, interests alone are not enough to warrant reasonable\r\nsuspicion, so we had to do more digging.\r\nAdditionally, the soft link between TopSec_2014@163[.]com and topsec2014@163[.]com alone was not\r\nsufficient to make associations with any reasonable confidence, but as it turns out, Yubo has in fact been\r\npreviously named as a person of interest in the context of offensive Chinese cyber activity.\r\nThe University\r\nIn March 2012, Northrop Grumman presented a commissioned report to Congress detailing Chinese cyber warfare\r\ncapabilities. The report asserts with high confidence that both Song and the Information Security Research Center\r\nat Southeast University have received numerous state-sponsored research grants, and by extension, cooperated\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 11 of 16\n\nwith the Government of China in conducting information security research and development (R\u0026D).  As stated on\r\nSoutheast University’s own website, the main purpose of these grants are to develop technical acumen amongst its\r\nstudents via providing support for “state-owned scientific research institutions, state key enterprises, government\r\nagencies and People’s Liberation Army (PLA) units.”\r\nSoutheast University is\r\none of only three Chinese academic institutes that receives funding from all five of the State grant programs. Song\r\nhimself has also conducted his fair share of state-sponsored research, notably under the National Ministry of State\r\nSecurity 115 Program – a highly sensitive research grant to fund ambiguous information warfare R\u0026D, almost\r\ncertainly in support of PLA programs.\r\nThe Competition\r\nAs we can see, the evidence continued to stack up.  The real smoking gun, however, was when we began to notice\r\na strong temporal overlap with the various stages of the TOPSEC Cup that Song and Beijing Topsec were\r\norganizing, and the registration dates of malicious infrastructure as well as the malware compilation dates.\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 12 of 16\n\nBased upon the translated registration form that we obtained from Song Yubo’s personal Baidu document sharing\r\naccount, open registration for the “TOPSEC Cup” began on May 4th, 2014 and would close on May 14th, 2014.\r\nThe details of the competition that were shared on the announcement are extremely ambiguous, and probably for\r\ngood reason. The introductory paragraph mentions that the primary goal of the event is to facilitate the training\r\nand discovery of new talent, noting that exceptional participants would receive priority consideration for\r\ninternships and jobs with Beijing Topsec.\r\nThe event itself was broken down into several distinct rounds of competition.  Firstly, the preliminary round\r\nrequired that all eligible registrants would attempt to remotely access and navigate through the network.  Should a\r\nparticipating team perform exceptionally in the preliminary qualifying round, they would be invited to participate\r\nin the final round on-site in Nanjing.\r\nIn this final round, participants would be required to build their own “information systems and network\r\nenvironments.”  The announcement notes that the students must rely upon their own laptop and software tools to\r\naccomplish this task.  Further, the announcement notes that participants are prohibited from attacking the provided\r\nserver as well as their competitors.\r\nSection Summary:\r\nSong Yubo and his research center at Southeast University appear to be central players in this narrative, as\r\nhighlighted by their financial connections to the government of China, in particular the Ministry of State\r\nSecurity (MSS), China’s premier human intelligence agency.\r\nIf the MSS was involved, we can deduce that the Anthem hack could have been for the purposes of\r\ngathering sensitive information for follow-on HUMINT targeting via blackmail, asset recruitment or\r\ntechnical targeting operations against individuals at home.\r\nSong’s use of the topsec email alias suggests a greater association w/ TOPSEC.\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 13 of 16\n\nIt seems as if the competition is almost certainly the cause for the topsec2014[.]com domain.  What is very\r\ncurious, however, is the initial registration by the reseller li2384826402@yahoo[.]com, which is a tactic\r\nseen within the confirmed malicious faux VAE Inc.infrastructure.\r\nThe overlap between the competition website and the static command and control infrastructure seen in the\r\nDerusbi / Sakula implant is was likely an error made by the attackers.\r\nTianrongxin, a.k.a. Beijing Topsec Technology Co:\r\nThe Company\r\nTo enhance our open-source capabilities, we partnered up with Dr. James Mulvenon and his team of China experts\r\nat Defense Group, Inc. (DGI).  We shared with them everything that we knew at the time, walking through the\r\ntechnical details which led us all the way to Song Yubo and the competition announcement.  From there, they were\r\nable to uncover a wealth of very consequential background information on Beijing Topsec Technology Co\r\n(Beijing Topsec), the sponsoring organization for Song Yubo’s information security competition.\r\nDGI’s research indicated that Beijing Topsec is one of the largest information security hardware providers in\r\nChina. In 1996, they were the first Chinese company to break into the market with the release of China’s first\r\nindigenously-manufactured firewall. Since then, they have expanded their business to include a consulting\r\npractice focused on issues such as vulnerability mining, software code analysis, threat intelligence, and encryption\r\nR\u0026D, amongst other things.\r\nThe company served as a core technical support unit for network security at the 2008 Olympic Games – an event\r\nwhich was tightly controlled by the state.  Additionally, Beijing Topsec is a known partner of the Chinese military.\r\nSince 2009, the company has possessed information publication credentials for military network procurement.\r\nSince 2013, they have been publicly recognized as the Chinese equivalent of a cleared defense contractor.\r\nThe links between Beijing Topsec and the Chinese government are fairly substantial, highlighted by long-standing\r\npartnerships between even the most shadowy elements of the Chinese military.\r\nThe Leaked Cable\r\nA very compelling piece of evidence is found in the contents of a leaked 2009 diplomatic security cable from the\r\nDepartment of State, published by The Guardian.  The cable is a daily digest of Diplomatic Security alerts –\r\nessentially a situational awareness primer for State Department employees to inform them of new and existing\r\nthreats.  In one section, the cable highlights that the Founder of Beijing Topsec, He Weidong, had openly talked\r\nabout receiving directives from the PLA in an interview with China News Network.  In the interview, the founder\r\nquite curiously states that Topsec is less a commercial entity, but rather a research institute, and that the company\r\nreceived about half of its start-up capital directly from the PLA.  The cable further claims that Topsec actively\r\nrecruits for the PLA cyber army.\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 14 of 16\n\nIt would also appear that not only does Beijing Topsec have deep ties to state-run cyber activity, but also within\r\nthe independent hacker community as well.  Of note, the company hired the notorious hacker Lin Yong, a.k.a.\r\n“Lion” (of the Honker Union of China) in the early 2000s as a security service engineer and to conduct network\r\ntraining.\r\nSection Summary:\r\nIt is not surprising that the Chinese government would be interested in partnering with a private\r\norganization such as Beijing Topsec for use as a front for state-sponsored activity.\r\nThe association between Southeast University and Beijing Topsec as manifested in the joint information\r\nsecurity research center highlights the possibility of growing links between state-sponsored activity and\r\nacademic institutions, particularly those that receive funding from the central government.\r\nAll in all, it would seem that China is pursuing a unified approach to cyber operations, relying on all\r\nunique facets of the workforce: academia, private industry, and independent hackers, as well as the PLA to\r\nachieve their strategic goals.\r\nConclusion:\r\nThe Anthem breach exposes the insidious reality of modern Chinese cyber espionage as it continues its\r\nunrelenting strikes at the soft underbelly of the American way of life.  Moreover, it demonstrates the imposing yet\r\nincreasingly common reality of conducting threat intelligence analysis without substantial threat intelligence to\r\nstart with.  Fortunately for us, we were able to deduce informed answers to some of the outstanding questions to\r\nthis breach by scrutinizing our archival data troves that are efficiently stored within our Threat Intelligence\r\nPlatform and partner integrations.  In the field of cyber security, industry professionals must learn to play the long\r\ngame in order to generate a proactive sense of situational awareness, allowing for greater efficiency and flexibility\r\nin mitigating future threats.\r\nAdditionally, this incident underscores the frustrating disparity of the industry when it comes to naming\r\nconventions.  With so many threat actors and indicators floating around, it is can be frustrating to keep track of all\r\nthe disparate pieces of evidence, especially when countless naming conventions are applied.  Without the use of a\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 15 of 16\n\nThreat Intelligence Platform to keep track of the flood of incoming threat data, this task would be extraordinarily\r\ntime consuming at best and crippling at worst.\r\nMoving forward, it is important to bear in mind that the adversary, regardless of country of origin, shall almost\r\ncertainly leverage our every weakness against us.  Even something as seemingly innocuous as confusion over\r\nnames can easily consume analytical bandwidth, creating a window of opportunity to strike.  We – that is security\r\nprofessionals, private industry and governments alike – must proactively harden our network defenses and hasten\r\nour incident responses as a united, synchronous entity.\r\nWe have shared details on Song Yubo and affiliated indicators within the ThreatConnect Common Community.\r\n This share also includes the full-text DGI “BLUE HERON” research which provides greater insight into Song\r\nYubo, Southeast University and Beijing Topsec.\r\nAll things considered, the industry must learn to adopt a cooperative defense mindset in the hopes of rebuffing\r\nfuture attacks. The most resolute defense we have is each other, so be like ThreatConnect Research and start\r\nactively defending your own community from the next big breach. Contact us to learn more.\r\nAbout the Author\r\nThreatConnect\r\nBy operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security\r\noperations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy\r\nand value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the\r\nThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a\r\nproactive force in protecting the enterprise. Learn more at www.threatconnect.com.\r\nSubscribe\r\nto our Emails\r\nSource: https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nhttps://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/\r\nPage 16 of 16\n\nthemed domain. The targeted incident relied upon the Sakula executable MD5: 230D8A7A60A07DF28A291B13DDF3351F which\nhad a XOR 0x9A encoded C2 callbacks to the IP address 192.199.254[.]126 (registered to Wehostwebsites[.]com \n-“Tom Yu” of Baoan, Shenzhen City, Guangdong Province, China) as well as a hardcoded callback to sharepoint\u0002\nvaeit[.]com. Passive DNS of the static C2 IP 192.199.254[.]126 revealed a single suspicious domain of interest-\n Page 5 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" ], "report_names": [ "the-anthem-hack-all-roads-lead-to-china" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434756, "ts_updated_at": 1775792002, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0383b78d3a8e9951a9124ea85a3e083606a94f11.pdf", "text": "https://archive.orkl.eu/0383b78d3a8e9951a9124ea85a3e083606a94f11.txt", "img": "https://archive.orkl.eu/0383b78d3a8e9951a9124ea85a3e083606a94f11.jpg" } }