The Anthem Hack: All Roads Lead to China

When news of the Anthem breach was reported on February 4th, 2015, the security industry understandably went wild. A breach of this magnitude was unprecedented. Naturally, many industry professionals were interested in digging into this incident to see what could be uncovered, and the research team at Dataminr was no exception.

Using integrated intelligence sources, historical datasets, and operational analysis workflows, researchers were able to quickly uncover a wealth of intelligence even when initially hindered by a relative lack of investigative lead information and context. Before diving into what was uncovered, let’s briefly review the facts as they stood in the wake of the initial discovery announcement.

What We Know

On the morning of February 4th, 2015, several major news outlets broke the story that Anthem, Inc.’s network defenses had been breached. According to a statement from Anthem’s CEO, the company fell victim to a “very sophisticated external cyber attack,” and the attackers obtained the personally identifiable information (PII) of approximately 80 million customers, including social security numbers, birthdays, street addresses, phone numbers, and income data.

This was a significant event for several reasons:

• Anthem, formerly known as Wellpoint, was one of the largest healthcare organizations in the United States.
• Blue Cross Blue Shield provided healthcare coverage for approximately half of the U.S. federal workforce.
• Unlike the Sony hack, which was destructive and coercive in nature, the Anthem compromise appeared highly covert.
• As of late February 2015, there were no immediate signs the data had been commoditized on criminal marketplaces for identity theft purposes.

Filling the Gaps

These high-level observations did not provide researchers with much operational detail to work with. However, intelligence analysis is often about identifying gaps and using fragmented evidence to orient investigative efforts. 

In the context of the Anthem breach, several core questions emerged:

• Who was responsible for the attack?
• What was the objective?
• Who was specifically targeted?
• What was the operational timeline?

One of the strengths of operational intelligence workflows is the ability to pivot across historical intelligence datasets to identify relationships that are not immediately obvious. In the case of the Anthem breach, retrospective analysis revealed several important patterns.

Anthem-Themed Infrastructure and Signed Malware

In September 2014, researchers observed a variant of the Derusbi malware family signed with a valid digital certificate from the Korean company DTOPTOOLZ Co. Derusbi has historically been associated with Chinese APT activity.

Researchers later identified additional malware signed with the same certificate, including a Sakula malware variant configured to communicate with the domains:

• extcitrix.we11point[.]com
• www.we11point[.]com

Passive DNS analysis suggested the infrastructure was designed to impersonate legitimate Wellpoint infrastructure. Historic DNS and Whois data established a timeline dating back to April 2014, when the domains were first registered and later operationalized.

Subdomains such as extcitrix.we11point[.]com and hrsolutions.we11point[.]com appeared designed to mirror legitimate remote access and HR infrastructure. This strongly suggested the malware was customized to operate within a specific target environment.

Possible Premera Blue Cross Infrastructure

Retrospective analysis of additional malware signed with the DTOPTOOLZ certificate uncovered another implant linked to the domain:

• prennera[.]com

Researchers assessed this domain may have been impersonating Premera Blue Cross using a similar character substitution technique later observed in the we11point[.]com infrastructure.

This activity further reinforced the possibility of coordinated healthcare-sector targeting associated with Chinese espionage activity.

VAE Inc. Infrastructure and Additional Overlap

As the investigation expanded, researchers identified additional infrastructure associated with Sakula malware signed with the same DTOPTOOLZ certificate.

One campaign appeared designed to impersonate internal infrastructure belonging to Department of Defense contractor VAE, Inc.

Additional overlaps included:

• shared infrastructure patterns
• overlapping Whois registration behavior
• associations with the ScanBox framework previously documented by PwC

These findings further connected multiple intrusion clusters associated with Chinese APT activity.

OPM-Themed Infrastructure

Researchers also identified the domain: opm-learning[.]org

The naming convention and associated registration details suggested possible targeting related to the U.S. Office of Personnel Management (OPM), which had also suffered a major breach in 2014.

The infrastructure shared similarities with previously identified Chinese espionage operations and further reinforced the broader operational pattern emerging from the investigation.

Unveiling Song Yubo and Southeast University

Open-source analysis later identified possible overlaps between the TopSec_2014@163[.]com registrant and Song Yubo, a professor affiliated with Southeast University in Nanjing, China.

Additional research indicated:

• connections between Southeast University and Chinese state-sponsored research programs.
• funding ties linked to Ministry of State Security (MSS) initiatives.
• partnerships with Beijing Topsec Technology Co..

Researchers also identified temporal overlap between the registration dates of suspicious infrastructure and a “TOPSEC Cup” information security competition associated with Southeast University and Beijing Topsec.

These overlaps raised additional questions regarding the relationship between academia, private industry, and state-sponsored cyber operations.

Tianrongxin (Beijing Topsec Technology Co.)

Further research conducted alongside external China experts revealed extensive ties between Beijing Topsec and Chinese state security interests.

Research indicated the company:

• served as a core network security provider for the 2008 Olympic Games.
• maintained relationships with Chinese military procurement programs.
• operated research initiatives tied to vulnerability research, intelligence, and encryption technologies.

Public reporting and leaked diplomatic cables also described connections between Beijing Topsec leadership and PLA-directed cybersecurity initiatives.

The broader pattern suggested a coordinated ecosystem involving:

• academia
• private industry
• independent researchers
• state-sponsored cyber programs

The Anthem breach highlighted the increasingly sophisticated nature of modern cyber espionage operations and the challenges of conducting intelligence analysis with incomplete information.

It also demonstrated the value of historical intelligence analysis, infrastructure correlation, and operational context in uncovering relationships that are not immediately visible during an active incident.

The investigation further underscored several enduring realities:

• adversaries often exploit small operational gaps
• fragmented naming conventions create analytical friction
• intelligence analysis requires long-term visibility and contextual understanding

Most importantly, the incident reinforced the importance of collaborative defense and operational intelligence sharing across the cybersecurity community.

Modern threat intelligence depends on the ability to connect fragmented signals, operationalize context quickly, and align analysis across organizations and teams.