|
 This data, experts say, is worth a lot more to cybercriminals than,
say, credit card information. And the Office of Personnel Management
(OPM) breach revealed on Thursday suggests cyberspies may now also
be finding value in it.
Cyber investigators from iSight Partners said they had linked the
OPM hack to earlier thefts of healthcare records from Anthem Inc, a
health insurance company, and Premera Blue Cross, a healthcare
services provider. Tens of millions of records may have been lost in
those attacks.
All three breaches have one thing in common, said John Hultquist of
Dallas-based iSight. While cyberespionage usually focuses on
stealing commercial or government secrets, these attacks targeted
personally identifiable information.
The stolen data "doesn't appear to have been monetized and the
actors seem to have connections to cyberespionage activity", said
Hultquist, adding that none of the data taken in the earlier attacks
had turned up for sale on underground forums.
A source close the matter said U.S. authorities were looking into a
possible China connection to the breach at OPM, which compromised
the personal data of 4 million current and former federal employees.
Several U.S. states were already investigating a Chinese link to the
Anthem attack in February, a person familiar with the matter has
said.
China routinely denies involvement in hacking, and on Friday a
spokesman for the Foreign Ministry in Beijing said suggestions it
was involved in the OPM breach were "irresponsible and
unscientific".
Hultquist said iSight could not confirm that China was behind the
attacks, but similar methods, servers and habits of the hackers
pointed to a single state-sponsored group.
BLACK MARKET FLOODED
Security researchers say that medical data and personnel records
have become more valuable to cybercriminals than credit card data.
The price of stolen credit cards has fallen in online black markets,
in part because massive breaches have spiked supply.
"The market has been flooded," said Ben Ransford, co-founder of
security start-up Virta Laboratories.
The result: medical information can be worth 10 times as much as a
credit card number.
Fraudsters use this data to create fake IDs to buy medical equipment
or drugs that can be resold, or they combine a patient number with a
false provider number and file made-up claims with insurers.
[to top of second column] |
State-sponsored hackers may not be after money, but would also be
interested in such data because they could then build a clearer
picture of their target.
That, said Philip Lieberman of security software company Lieberman
Software, would increase the chances of any targeted email attack,
or spear phish, successfully obtaining confidential data.
Others said that, given the data affected included job histories,
those targets might be in other government departments. "It's likely
this is less about money and more about gaining deeper access to
other systems and agencies," said Mark Bower of HP Security Voltage,
a data security company.
This interest in more granular data is pushing hackers of all
stripes into more inventive ways of penetrating the defenses of
hospitals and other institutions holding such data.
TrapX, a cybersecurity company, said it had discovered criminal
gangs from Russia and China infecting medical devices such as X-Ray
systems and blood gas analyzers to find their way into servers from
which they stole personnel and patient data.
Other security researchers agreed this kind of attack was becoming
more common.
Billy Rios, founder of security company Laconicly, said he had found
infected systems while working with several healthcare
organizations. "Clinical software is riddled with security
vulnerabilities," he said.
A survey by think-tank the Ponemon Institute issued last month said
that more than 90 percent of healthcare organizations surveyed had
lost data, most of it to hackers.
"This is going to get worse before it gets better," said Carl
Wright, of TrapX, which discovered the breaches via medical devices.
(Editing by Alex Richardson)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
