SAN FRANCISCO — The same Chinese hackers who breached the records of at least 4 million government workers through the Office of Personnel Management appear to have been responsible for similar thefts of personal data at two major health care firms, Anthem and Premera, according to cybersecurity experts.
The attacks, which began last year and were all discovered this spring, appear to mark a new era in cyberespionage with the theft of huge quantities of data and no clear motive for the hackers.
There is no evidence that the data collected was used for criminal purposes like faking identities to make credit card purchases. Instead, the attackers seem to be amassing huge databases of personal information about Americans. Some have high-level security clearances, which the Office of Personnel Management handles, but millions of others do not, and the reasons for their records being taken have puzzled investigators.
All of the attacks have one thing in common: The US government has traced them to China, although it is unclear whether the attackers are working for the state.
Based on forensics, security experts believe the attackers are not one of the hacking units of the People’s Liberation Army, which were named in a federal indictment last year that focused on the theft of intellectual property. Researchers say these hackers used different tools than those utilized by the Liberation Army’s Third Department, which oversees cyberintelligence gathering. But that does not exclude another state-sponsored group or the adoption of new technologies that are harder to trace.
What marks all of the attacks is the scale and ambition of the data sweeps. When Premera said it was the victim of an attack that exposed medical data and financial information, it appeared to involve 11 million customers. Anthem’s involved upward of 80 million Social Security numbers. Medical records, like the government’s personnel records, contain Social Security numbers and birth dates; the medical data sometimes is linked to bank accounts as well.
In February the FBI issued an alert, circulated to a restricted number of major firms and first revealed by Brian Krebs, a security researcher, that said bureau investigators had “received information regarding a group of cyberactors who have compromised and stolen sensitive business information and personally identifiable information from US commercial and government networks through cyberespionage.”
But the theft of personal information has typically been the realm of cybercriminals, who sell it on the underground market where it can be used to break into someone’s e-mail, bank, or trading account, typically for identity theft.
In this case, however, researchers say the group that stole the personal information was known for cyberespionage, which indicates spies are no longer stealing just US corporate and military secrets but also personal data for some later purpose.
The intrusions also suggest that President Obama’s efforts during the past three years to engage China’s leadership in a dialogue that would limit cyberattacks has failed. The pace of the attacks is unabated, and the scope has grown.
Chinese officials say they, too, are victims, and on Friday the Chinese Foreign Ministry said the United States was leaping to conclusions about the source of the attacks based on evidence it has not made public. Beijing dismissed the allegations that China was the source of an attack on federal workers’ data as “unscientific and irresponsible.”