The case for a Beijing-orchestrated hack of health insurer Anthem has firmed up with new details suggesting that the sophisticated hacking group responsible for the heist shared zero days with rival outfits.

Symantec has overnight dubbed the perps "Black Vine", suggesting the group was responsible for goring more than 70 million personal records from the US company in February.

The security firm paints the group as ultra-sophisticated and unusually keen to share its precious trove of zero day vulnerabilities with rival hacking outfits, rare behaviour among hack-for-cash groups.

Symantec lead researcher Jon DiMaggio says in a report The Black Vine cyberespionage group (PDF), that the group appears to operate out of Beijing and has members with possible ties to security company TopSec which he says has previously hired known black hats and operates from that city.

"Based on the samples analysed in our investigation, Symantec identified that the Black Vine malware variant known as Mivast was used in the Anthem breach.

"[Open source data] suggests that some actors of Black Vine may be associated with a Beijing-based company known as Topsec."

Other links have tied the attack to TopSec. ThreatConnect goes as far as to name an individual teacher who it claims has been dubbed "a person of interest in the context of offensive Chinese cyber activity" and has conducted work for Bejing's secretive National Ministry of State Security (MSS) 115 Program thought to be associated with "ambigious" information warfare activities.

It says the stolen Anthem data could be used to better target the highest-profile victims as part of what remains the group's unknown but seemingly top-flight mission.

"If the MSS was involved, we can deduce that the Anthem hack could have been for the purposes of gathering sensitive information for follow-on HUMINT targeting via blackmail, asset recruitment or technical targeting operations against individuals at home," the researchers state.

Unnamed officials familiar with the breach say the group is stealing information useful to Beijing's counter-intelligence and internal stability.

Coordinated zero days

Four attacks in 2012 and 2014 tie Black Vine to a separate hacking group, and suggest ties between the two are built on shared goals.

Zero-day distribution and framework.

In 2012 Black Vine demonstrated its "extensive financial resources" when it unleashed a zero day exploit in Microsoft's Internet Explorer (CVE-2012-4792) to compromise the ostensibly high-profile visitors to the Council on Foreign Relations website.

The exploit was part of a watering hole attack in which a website popular with an attacker's preferred calibre of victim is compromised to serve malware to visitors.

That 2012 attack is remarkable in that it took place within days of a hack that turned manufacturer Capstone Turbine into a watering hole using the same zero day, and different attack vectors and malware.

Coordinated zero day attacks took place in February 2014 when Black Vine popped an aerospace firm with another then unknown Internet Explorer flaw (CVE-2014-0322). That occurred two days after the separate group busted the US Veterans of Foreign Wars.

A month later Black Vine would pop Anthem and remain inside exfiltrating records and pivoting within its networks for some 300 days.

The apparent tight coordination between the hacking groups is crucial because zero-day vulnerabilities are quickly considered burnt when used in high-profile attacks. Once the zero days are discovered patches and mitigations soon follow.

"The simultaneous attacks between different attack groups seen in 2012 and 2014 exploited the same zero-day vulnerabilities at the same time, but delivered different malware. The malware used in these campaigns are believed to be unique and customized to each group. However, the concurrent use of exploits suggests a shared access to zero-day exploits between all of these groups."

Black Vine like other high-profile hacking groups has targeted organisations in industries including healthcare, energy, and aerospace.

Symantec has released more tools, tactics, and procedures for Black Vine, including its use of the Elderwood hacking framework, which will help security responders identify if they have been targeted. ®