Common Malware Jimmied Open White House and Anthem Systems, Say Researchers

Malicious code Russians reportedly used to jimmy open a White House network and malware Chinese hackers reportedly used to rupture insurer Anthem's network were similar -- and free, according to new research.

The worms also were delivered the same way, via phishing emails that looked legitimate, but actually baited recipients into opening a malicious file. 

The hackers' success in each case underscores how conventional hacking techniques still work against skilled professionals at high-security organizations, said Patrick Belcher, a director at cyber firm Invincea. He co-wrote a paper detailing the initial penetrations at the White House and Anthem.

"These aren't just any dumb users," Belcher said. "The top-notch security professionals, they failed in their jobs to not open suspicious email links." Neither Anthem nor the White House has detailed how its systems were initially breached.

At Anthem, a bogus message in December 2014 tricked the recipient to install what appeared to be an authentic Citrix software update that was really an infected file, according to past research. And last fall, at “the White House, it was a stupid video from the Super Bowl like three years ago floating around in the office," Belcher said.

Actually, it was a 2007 Super Bowl ad for CareerBuilder.com that showed chimpanzees running a corporation and tormenting their human employee, according to F-Secure.

A hacked State Department email account reportedly was the source of the phishing email that landed at the White House. Incidentally, State in March invited all federal security employees to participate in a 90-minute phishing email workshop.

"There was no expense to the cost of the hacker," Belcher said. "The only thing that they had to do was come up with the most clever way to fool the most people with this email link."

At both organizations, the cons worked and users opened the files laced with malicious code. The Anthem hackers compromised the Social Security numbers and other personal information of about 80 million customers. The White House hackers infiltrated an unclassified email system and saw President Barack Obama’s confidential schedule.

For his research, Belcher relied on a proprietary Invincea security system funded by the Defense Advanced Research Projects Agency and attack analyses drawn up by ThreatConnect, F-Secure and Kaspersky Lab.

The two pieces of malware were likely publicly available "Trojans," or harmless-looking computer programs that perform dangerous operations.

"They are off-the-shelf Trojans that have been around for a long time," Belcher said. "People use them to basically email other victims, like ex-girlfriends." A user downloads the file, and "then all of a sudden, somebody malicious has a backdoor to the system."

After cracking open that door, each nation state used different, more sophisticated hacking tools to embed themselves in their targets' systems and mask virtually all their activity, he said.

An attacker "can get any generic Trojan, put whatever video they want into it, to misdirect the users so they won’t notice that something unusual is taking place and just fire it off to the right person or the right group of people," Belcher said.

According to The Washington Post, a well-resourced group backed by Moscow lodged months-long attacks against the White House and State Department. Now, investigators are blaming the same Russian cohort for a cyberincident last month that caused the Joint Staff to unplug email, The Post reports. 

A powerful team of hackers sponsored by China burrowed into networks at Anthem, the Office of Personnel Management, and major U.S. airlines that ferry federal officials, according to Bloomberg.

Antivirus detection systems typically do not spot common malware, when attackers use "malware factories" that slightly tweak each file before sending, Belcher said.

"It's constantly recalculating and adding new bits and pieces to itself so that one piece of malware can generate almost 3,000 new instances of itself every minute," he said. 

(Image via Orhan Cam/ Shutterstock.com)