An attack in early 2014 on Anthem, the No. 2 US health insurer, was by most measuring sticks a historic hack, leading to the biggest healthcare data breach ever. New evidence unearthed by researchers from security firm Symantec, however, shows it was business as usual for the hacking group, which over the past three years has carried out more than a dozen similar attacks.

Dubbed Black Vine, the group is well financed enough to have a reliable stream of weaponized exploits for zero-day vulnerabilities in Microsoft's Internet Explorer browser. Since 2012, the gang has brazenly infected websites frequented by executives in the aerospace, energy, military, and technology industries and then used the compromises to siphon blueprints, designs, and other intellectual property from the executives' organizations. The targeting of Anthem appears to reflect more of a secondary interest that was intended to further advance a primary interest in aerospace, energy, and other similar industries rather than to target healthcare information for its own sake.

"If someone just has Vikram's healthcare records, overall there's very little gain," Vikram Thakur, senior security researcher with Symantec, told Ars, as he described the motivations of the Black Vine group hacking Anthem. "But then you get healthcare information about a Vikram working for a government entity or a defense contractor, there is substantial value in that. This is the kind of data that's used in combination with something else to reach an entirely non-healthcare related goal."

Significant resources

A quick review of the Black Vine timeline helps underscore the significant resources the group possessed. In late December 2012, independent security researcher Eric Romang uncovered the compromise of domain name capstoneturbine.com, which is owned and operated by Capstone Turbine, a maker of gas turbines used by energy companies. As a result, anyone who visited Capstone Turbine's website using Microsoft's Internet Explorer browser was infected with a backdoor that Symantec researchers have dubbed Sakurel.

The "watering hole" attack—so called because it targeted a website frequented by people in the energy and aerospace industries—exploited what in 2012 was an unknown vulnerability in IE, CVE-2012-4792. Further demonstrating Black Vine's resources, the Sakurel malware the exploit installed was digitally signed using a certificate issued to an organization called Micro Digital Inc. to bypass Windows security checks. In the last week of 2012, Black Vine targeted a second turbine power and technology manufacturer, an indication that the hackers' primary interest at the time was related to energy. In February 2014, as the group compromised the website of a European aerospace company, the hackers exploited a newer zero-day vulnerability in IE, this time CVE-2014-0322.

Interestingly, Black Vine's use of both this unknown vulnerability and zero-day CVE-2012-4792 two years earlier was mimicked by what Symantec researchers believe was a separate hacking group that competed with Black Vine. Specifically, CVE-2012-4792 was also used in late 2012 by a different group to compromise the Council on Foreign Relations website. Similarly, in February 2014, CVE-2014-0322 was exploited to infect visitors to the Veterans of Foreign Wars websites, as well as the home page of a large European aerospace manufacturer.

In a report published Tuesday, Symantec researchers wrote:

The simultaneous attacks between different attack groups seen in 2012 and 2014 exploited the same zero-day vulnerabilities at the same time, but delivered different malware. The malware used in these campaigns are believed to be unique and customized to each group. However, the concurrent use of exploits suggests a shared access to zero-day exploits between all of these groups. Symantec has previously identified the platform that has been used to deliver zero-day exploits to multiple attack groups as the Elderwood framework.

From 2012 to 2015, Black Vine hacked into at least a dozen companies in the energy, aerospace, or related industries. The breach of Anthem is believed to have begun in May 2014. The insurer was infected with Black Vine malware dubbed Mivast, which was also signed by a compromised digital certificate. The breach wasn't discovered until February, some 10 months after it began. By then, the attackers had pilfered more than 80 million records, making it the biggest healthcare breach in history. Symantec's report also presented evidence tying Black Vine to a China-based IT security organization called Topsec.

The new(ish) face of espionage hacks

The revelations that Symantec has uncovered about Black Vine are important because they shed light on the way the Anthem and similar wholesale hacks are carried out. What later turned out to be a historic breach to defenders was in many ways a run-of-the-mill attack targeting not a primary but a secondary interest. It's not the first time such a follow-on attack has been observed. The 2011 breach of security firm RSA, which stole data that reduced the effectiveness of the SecurID two-factor product RSA sold, is widely believed to have been carried out to better penetrate defense contractors Lockheed Martin and L-3 Communications. Similarly, the 2013 hack of security firm Bit9 is widely believed to have been carried out to better target some of its customers.

Another significant insight provided by Symantec's research is the sharing of zero-day exploits among rival hacking gangs.

"If the attackers are beginning to collaborate and share malicious code, they're reaching a stage where it's not very different from organized crime," Thakur said. "There's something tying them all together, which is something more than money."