Chinese Hacking of U.S. Data May Extend to Insurance Companies
By NICOLE PERLROTH, DAVID E. SANGER and JULIE HIRSCHFELD DAVIS

SAN FRANCISCO — The same Chinese hackers who breached the records of at least four million government workers through the Office of Personnel Management appear to have been responsible for similar thefts of personal data at two major health care firms, Anthem and Premera, according to cybersecurity experts.

The multiple attacks, which began last year and were all discovered this spring, appear to mark a new era in cyberespionage with the theft of huge quantities of data and no clear motive for the hackers.

There is no evidence that the data collected was used for criminal purposes like faking identities to make credit card purchases. Instead, the attackers seem to be amassing huge databases of personal information about Americans. Some have high-level security clearances, which the Office of Personnel Management handles, but millions of others do not, and the reasons for their records being taken have puzzled investigators.

All of the attacks have one thing in common: The United States government has traced them to China, though it is unclear whether the attackers are working for the state.

Based on forensics, security experts believe the attackers are not one of the hacking units of the People’s Liberation Army, which were named in a federal indictment last year that focused on the theft of intellectual property. Researchers say these hackers used different tools than those utilized by the Liberation Army’s Third Department, which oversees cyberintelligence gathering. But that does not exclude another state-sponsored group, or the adoption of new technologies that are harder to trace.

What marks all of the attacks is the scale and ambition of the data sweeps. When Premera said it was the victim of an attack that exposed medical data and financial information, it appeared to involve 11 million customers. Anthem’s involved upward of 80 million social security numbers. Medical records, like the government’s personnel records, contain Social Security numbers and birth dates; the medical data sometimes is linked to bank accounts as well.

In February the F.B.I. issued an alert, circulated to a restricted number of major firms and first revealed by Brian Krebs, a security researcher, that said bureau investigators had “received information regarding a group of cyberactors who have compromised and stolen sensitive business information and personally identifiable information (P.I.I.) from U.S. commercial and government networks through cyberespionage.”

But the theft of personal information has typically been the realm of cybercriminals, who sell it on the underground market where it can be used to break into someone’s email, bank or trading account, typically for identity theft. In this case, however, researchers say the group that stole the personal information was known for cyberespionage, which indicates that spies are no longer stealing just American corporate and military trade secrets, but also personal information for some later purpose.

The intrusions also suggest that President Obama’s efforts over the past three years to engage China’s leadership in a dialogue that would limit cyberattacks has failed. The pace of the attacks is unabated, and the scope has grown. Chinese officials say they, too, are victims, and on Friday the Chinese foreign ministry said the United States was leaping to conclusions about the source of the attacks based on evidence it has not made public. Beijing dismissed the United States allegations that China was the source of an attack on federal workers’ data as “unscientific and irresponsible.”

“We hope the American side won’t continue this layer upon layer of suspicion and groundless accusations,” Hong Lei, a Ministry of Foreign Affairs spokesman, said at a regularly scheduled news conference.

Just what the attackers plan to do with Social Security numbers and other personal information for four million current and government workers, and millions more insured by Anthem and Primera, is not yet clear.

“We believe they are creating a tremendous database of P.I.I. that they reach back to for further activity,” said John Hultquist, the senior manager of cyberespionage threat intelligence at iSight, a security firm. “It looks like they are casting a very wide net, possibly for follow-on operations or identifying persons of interest, but we’re in a new space here and we don’t entirely know what they’re trying to do with it.”

Mr. Hultquist and his team had been investigating the attacks at Anthem and Premera, in which hackers started naming their web domains after their targets. They named one of those domains Wellpoint, though with only with one “l,” to mimic a site used by Anthem, and soon iSight’s researchers saw the hackers creating new infrastructure for other attacks. They also created some other new sites, including two named for the Office of Personnel Management, before they breached the federal agency. In every case, the group went after personal information.

However, iSight stopped short of pinning the attacks on Chinese hackers.

The attack at the Office of Personnel Management is one of the largest breaches of federal employees’ data. It is also the third major intrusion of a federal agency in the last year. Last year, both the White House and State Department were breached by hackers that government officials believe were Russian.

It is unclear why American government agencies were vulnerable to such an extent, or why those agencies left critical data unencrypted. A report from the Government Accountability Office last year found that government agencies have inadequately responded to cyberbreaches. The report found that 24 major federal agencies had been breached, and that in about 65 percent of cases, the agencies did not completely document their response to cyberincidents.

American officials are scheduled to meet with their Chinese counterparts at an annual “Strategic and Economic Dialogue” later this month and government officials have said they will make cyberattacks a top item for discussion. But they have done so before.

In an attempt to deter the kinds of attacks that have left federal agencies reeling, President Obama signed a new executive order in April that established the first sanctions aimed at curbing foreign cyberespionage and theft. The order authorized financial and travel sanctions against anyone participating in online attacks that posed a threat to the “national security, foreign policy, or economic health or financial stability of the United States.” But so far the new order has not been used.

In this case there seemed to be little doubt among federal officials that the attack was launched from China. But the administration did not publicly identify Chinese hackers as the culprits, perhaps because it is difficult to definitively attribute the source of cyberattacks and to back up such an attribution without divulging classified data, or perhaps because of a broader diplomatic strategy.

The F.B.I. said it was working with other agencies to investigate the matter. “We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace,” Joshua Campbell, a spokesman, said in a statement.

美400萬公務員個資遭竊 「中國大陸駭的」

紐約時報和華盛頓郵報四日報導，掌握聯邦政府工作人員資料的美國人事管理局（OPM）四日驚傳四百萬筆員工個資被竊，已是一年多來第三度遭駭。官員透露駭客來自中國大陸，大陸外交部駁斥，指美國的說法缺乏根據。

OPM去年三月被駭後已加強網路安全，今年四月測試新系統時，發現位於內政部的資料中心所儲存的離職與現任工作人員資料庫去年十二月再度被入侵。國土安全部表示，上月初確認資料被竊，正和聯邦調查局（FBI）及OPM合作調查。

這是近數年來聯邦雇員資料遭竊數量最大者，OPM不願說明遇駭資料庫的內容，也不透露哪些資料可能被竊。

一名執法官員告訴路透，「一個外國實體或政府」據信主使這次網攻，當局正追查和中國大陸有關的線索。

今年二至三月，美國第二大醫療保險商Anthem與非營利保險組織Premera Blue Cross的資料相繼被駭。

資安公司iSight Partners指出，三起事件的犯罪手法、攻擊伺服器的模式和習慣都相同，應是同一批駭客所為，且皆指向同一批由國家支持的駭客團體。

這些被竊的個資可能被用於製作夾帶惡意程式的「釣魚郵件」，收件者看到來自聯邦的電郵及相關資料，可能降低戒心而誤點連結，導致電腦被入侵竊取資料。

大陸外交部發言人洪磊五日在例行記者會中駁斥美方指控，他表示：「類似的報導，類似的言論，近期我們看得比較多了。」但是駭客具有「匿名性、跨國性及溯源難」的特點，未經過深入調查，而說可能是大陸所為，「這是不科學的，也是不負責任的」。他還說：「希望美方不要疑心重重，捕風捉影，而是在這一領域展現更多信任與合作。」

美國多次指控大陸駭客攻擊，今年四月美國國防部發表的報告指出，去年大陸駭客數度攻擊美軍網路，意圖竊取情報。

2015-06-06．聯合報．A17．國際．編譯莊蕙嘉

美國政府坦承，人事管理局（OPM）電腦5日遭駭客入侵，可能導致至少400萬名現任與前任公務員個資外洩，駭客疑來自中國。

美國公家機構系統近來頻頻遭駭客入侵，握有員工紀錄與身家調查的OPM遭駭，更可能是美國史上最大宗政府員工個資遭竊案。

網路犯罪調查單位認為，此案或與日前Anthem等健康保險業者健保紀錄遭竊的事件有關，可能有外國政府在背後主導。相關單位正在調查中國是否涉入。

不過中國駐美大使館發言人朱海權反駁，網路攻擊在中國係屬違法行為，貿然定論並做出不實指控，既不負責任也無益於事。「中國正依據相關法規不遺餘力地打擊網路犯罪。」

據傳聯邦調查局（FBI）與國土安全部（DHS）已展開調查，糾出網路攻擊的元兇。當局拒絕判定原因或動機，但指出內政部等機構也受到影響，並可能將實施新制防止詐騙或身份遭竊，例如採用更嚴密的維安系統。

美國去年才發生白宮與國務院電腦系統遭駭，導致10萬筆納稅人資料外流，矛頭指向俄羅斯。

2015-06-06．經濟日報．A10．國際．編譯黃智勤

美政府400萬雇員 個資遭駭

美國官員表示，駭客大舉侵入負責蒐集聯邦政府雇員人事資料的人事管理局（OPM）電腦系統，波及大約四百萬名現任與前任聯邦雇員的個資。

美國參院情報委員會成員柯林斯表示，駭客可能來自中國大陸；中國駐華盛頓大使館發言人朱海寬表示，跨國網路攻擊不易追查，這種指控不負責任。

駭客去年9月侵入系統，但相關單位4月才察覺，美國國土安全部（DHS）說，上個月初研判，OPM的資料已經被竊。

DHS的匿名官員表示，駭客入侵影響OPM的資訊系統及其貯存在聯邦內政部數據中心的資料，該數據中心是聯邦各機構的共用服務中心；官員未說明其他機構的資料是否也受到波及。

有報導指美國內政部也被駭；另有官員透露，幾乎每個聯邦機構都受到影響。

聯邦調查局在聲明中表示：「本局已與相關單位聯手展開調查。我們嚴肅看待公私領域系統面臨的潛在威脅，而且一定追究在網路空間構成威脅者的責任。」

官員指出，這一波攻擊可能源自美國以外的其他地區，他未證實或否認攻擊來自中國大陸。

OPM去年曾經遭到一次源自中國的網路攻擊，國務院、美國郵政總局與白宮的電腦系統也曾遭到攻擊。

美國政府對源自中國大陸的電腦刺探與竊盜早已有戒心，而且多次呼籲北京解決這個問題。

原文參照：
http://www.nytimes.com/2015/06/06/us/chinese-hackers-may-be-behind-anthem-premera-attacks.html

紐約時報中文版翻譯
http://cn.nytimes.com/usa/20150605/c05hack/zh-hant/

2015-06-05．聯合晚報．A6．國際焦點．編譯陳世欽