United Hack Connects to Attack Group

Thursday, July 30, 2015 @ 02:07 PM gHale

Hackers from one huge attack group have been very busy because they have been stealing data from multi-millions of U.S. insurance holders and government employees in addition to United Airlines which also suffered a breach around the same time.

United, the world’s second-largest airline, detected an incursion into its computer systems in May or early June, said several people familiar with the probe. Three of those people said investigators working with the carrier linked the attack to a group of China-backed hackers they said are behind the theft of security-clearance records from the U.S. Office of Personnel Management and medical data from health insurer Anthem Inc.

Attack Group Called Out
Cyber Arrest Frequency on Rise
FBI Takes Down Cyber Crime Forum
Estonian Man Guilty in Botnet Plan
Brothers Guilty in State Dept. Hack

On Wednesday, ISSSource reported Symantec called out a cyber espionage group called Black Vine, which is targeting multiple industries including energy, aerospace and healthcare, which included the Anthem attack.

The most prominent attack to date from Black Vine occurred when healthcare provider, Anthem, suffered a breach and over 80 million records ended up stolen. That attack came to light when an administrator noticed multiple queries running from the account, but someone else had executed the queries. That discovery of the database queries soon led Anthem to realize it was under attack from an advanced cyber espionage group.

The previously unreported United breach raises the possibility the hackers now have data on the movements of millions of Americans, adding airlines to a growing list of strategic U.S. industries and institutions that suffered a compromise. Among the cache of data stolen from United are manifests, including information on flights’ passengers, origins and destinations.

It’s increasingly clear that China’s intelligence apparatus is amassing a vast database, security experts said. Files stolen from the federal personnel office by this one China-based group could allow the hackers to identify Americans who work in defense and intelligence, including those on the payrolls of contractors.

In a Big Data environment, the information could end up cross-referenced with stolen medical and financial records, revealing possible avenues for blackmailing or recruiting people who have security clearances. In all, the China-backed team has hacked at least 10 companies and organizations, which include other travel providers and health insurers, said researches at security firm FireEye Inc.

The theft of airline records potentially offers another layer of information that would allow China to chart the travel patterns of specific government or military officials.

United is one of the biggest contractors with the U.S. government among the airlines, making it a rich depository of data on the travel of American officials, military personnel and contractors. The hackers could match international flights by Chinese officials or industrialists with trips taken by U.S. personnel to the same cities at the same time, said James Lewis, a senior fellow in cyber security at the Center for Strategic and International Studies in Washington.

The timing of the United breach also raises questions about whether it linked to computer faults that stranded thousands of the airline’s passengers in two incidents over the past couple of months. Two additional people close to the probe, who like the others requested anonymity when discussing the investigation, said the carrier found no connection between the hack and a July 8 systems failure that halted flights for two hours. They didn’t rule out a possible, tangential connection to an outage on June 2.

United received some help identifying the breach from U.S. investigators working on the OPM hack. The China-backed hackers that cyber security experts linked to that attack have embedded the name of targets in web domains, phishing emails and other attack infrastructure, according to one of the people familiar with the investigation.

In May, the OPM investigators began drawing up a list of possible victims in the private sector and provided the companies with digital signatures that would indicate their systems suffered a breach. United Airlines was on that list.