Black Vine: Anthem hackers share zero-days with rival cyberattackers

The group behind the disastrous Anthem hack is believed to be part of a zero-day sharing network.


Security researchers believe the group behind the Anthem hack is part of a network which distributes zero-day exploits for use against high-profile industries.

Earlier this year, US healthcare provider Anthem was the target of a sophisticated cyberattack which exposed 80 million customer records. Client names, dates of birth, physical and email addresses, medical IDs and Social Security numbers were placed at risk, but the company insists no medical data was taken.

It is believed a group dubbed Black Vine is to blame for the data breach, and Anthem is only one of multiple campaigns this resourceful group has shouldered the blame for.

On Tuesday, cybersecurity firm Symantec released a whitepaper (.PDF) documenting the evolution of Black Vine over the last three years.

According to the company, Black Vine has been in operation since 2012, and the group has compromised companies within the aerospace industry, healthcare, energy, military and defense, finance, agriculture and technology realms.

The group not only has access to a variety of zero-day exploits but also uses customized malware. Symantec explains:

"In its campaigns, Black Vine compromised legitimate websites that were of interest to its targets in order to serve exploits to the sites' visitors.

If the zero-day exploits successfully worked against the vulnerable software on the victim's computer, then they dropped Black Vine's custom malware, providing the attackers with remote access to the computer. In addition to watering-hole attacks, Black Vine also sent spear-phishing emails that disguised its threats using technology-themed lures."

Black Vine's custom malware has been detected as Hurix and Sakurei -- both detected as Backdoor.Mivast -- and Mivast, detected as Trojan.Sakurel. The malware strains are able to open back doors into systems, conduct remote file execution, delete, modify and create registry keys and both spy upon and collect data concerning victim systems.

The majority of infections have been detected in the United States, followed by China, Canada, Italy and Denmark.

During the cybersecurity firm's analysis, researchers realized Black Vine used a number of catalogued zero-day exploits at the same time as other threat actors. including Hidden Lynx.

While these linked hacking groups use the same zero-day exploits, Symantec says the groups deliver different payloads unique to each group. In turn, the simultaneous use of these exploits "suggests that they all have access to a common zero-day exploit distribution framework," according to the firm.

The framework itself has been dubbed the Elderwood platform. The distribution network, first discovered three years ago, is constantly updated with new zero-day vulnerabilities and threat actors including Hidden Lynx, Vidgrab, Icefog and Sakurel have been linked to its use.

Elderwood has been used to conduct spear-phishing and watering-hole attacks against industries including the defense, IT and human rights sectors, and is believed to originate in China.


Symantec calls Black Vine a "formidable" group with extensive resources which is able to frequently update and modify its malware to avoid detection by antivirus and cybersecurity companies -- and is likely to remain a plague in the cybersecurity realm for some time to come.

In related news, a critical persistent injection flaw was discovered this week which allows session hijacking to take place through the Apple App Store and iTunes platform.

Read on: Top picks

Show Comments