Indianapolis, IN–A federal grand jury returned an indictment unsealed today in Indianapolis, Indiana, charging a Chinese national as part of an extremely sophisticated hacking group operating in China and targeting large businesses in the United States, including a computer intrusion and data breach of Indianapolis-based health insurer Anthem Inc. (Anthem).
The four-count indictment alleges that Fujie Wang (王 福 杰 in Chinese Hanzi), 32, and other members of the hacking group, including another individual charged as John Doe, conducted a campaign of intrusions into U.S.-based computer systems. The indictment alleges that the defendants gained entry to the computer systems of Anthem and three other U.S. businesses, identified in the indictment as Victim Business 1, Victim Business 2 and Victim Business 3. As part of this international computer hacking scheme, the indictment alleges that beginning in February 2014, the defendants used sophisticated techniques to hack into the computer networks of the victim businesses without authorization, according to the indictment. They then installed malware and tools on the compromised computer systems to further compromise the computer networks of the victim businesses, after which they identified data of interest on the compromised computers, including personally identifiable information (PII) and confidential business information, the indictment alleges.
The indictment further alleges that the defendants then collected files and other information from the compromised computers and then stole this data. As part of the computer intrusion and data breach of Anthem, the defendants identified and ultimately stole data concerning approximately 78.8 million persons from Anthem’s computer network, including names, health identification numbers, dates of birth, Social Security numbers, addresses, telephone numbers, email addresses, employment information and income data, according to the indictment.
Wang and Doe are charged with one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two substantive counts of intentional damage to a protected computer.
According to the indictment, the defendants used extremely sophisticated techniques to hack into the computer networks of the victim businesses. These techniques included the sending of specially-tailored “spearfishing” emails with embedded hyperlinks to employees of the victim businesses. After a user accessed the hyperlink, a file was downloaded which, when executed, deployed malware that would compromise the user’s computer system by, in pertinent part, installing a tool known as a backdoor that would provide remote access to that computer system through a server controlled by the defendants.
The defendants sometimes patiently waited months before taking further action, eventually engaging in reconnaissance by searching the network for data of interest, according to the indictment. This data included PII and confidential business information. The indictment alleges that the defendants accessed the computer network of Anthem without authorization for the purpose of conducting reconnaissance on Anthem’s enterprise data warehouse, a system that stores a large amount of PII, on multiple occasions in October and November 2014.
The indictment further alleges that once the data of interest had been identified and located, the defendants then collected the relevant files and other information from the compromised computers using software tools. The defendants then allegedly stole the data of interest by placing it into encrypted archive files and then sending it through multiple computers to destinations in China. The indictment alleges that on multiple occasions in January 2015, the defendants accessed the computer network of Anthem, accessed Anthem’s enterprise data warehouse, and transferred encrypted archive files containing PII from Anthem’s enterprise data warehouse from the United States to China.
Finally, the defendants allegedly then deleted the encrypted archive files from the computer networks of the victim businesses, in an attempt to avoid detection. In late January 2015, the defendants deleted certain archive files containing PII that they had previously transferred from Anthem’s enterprise data warehouse.
Defendant Wang is specifically alleged to have controlled two domain names connected to the criminal activity. According to the indictment, one of these domain names was associated with a backdoor used in the intrusion victimizing Victim Business 1, and the other was associated by Wang with a server used to create an email account used to conduct spearfishing attacks against employees of Victim Business 3.