First, I want to start off this blog post that this is purely speculation and do not have direct evidence for the initial point of compromise. Krebs On Security is reporting that the report could have extended all the way back to April of 2014 and recently noticed in late December:
In a recent discussion with a peer in the industry, Daniel McCauley a Senior Threat Intelligence Analyst had mentioned it was reminiscent of CHS. We were discussing the similarities of this breach and CHS. Since this attack originated back in April – this is the direct timeframe of Heartbleed’s discovery and known and well documented attacks in the wild.
TrustedSec did an original blog post on this and the information around Juniper being the entry point at CHS:
A blog post originating from Mandiant around the same time as CHS outlined what the breach looked like around Heartbleed. At the time the CHS breach affected 4.5 million individuals personal information.
While post exploitation is a common practice for hackers, the blog post references “Once connected to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization.”.
In the most recent public comment (and Madiant’s only statement): “were using different custom backdoors that are not publicly available”.
While this is all purely speculation – there are a number of similarities between the two breaches and appear to have occurred just days apart. Could this be the exact same group and technique that hit CHS many months ago? Time will tell.
Special thanks to Daniel McCauley for the concept.
Author: David Kennedy
Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.