Fujie Wang, Member of Sophisticated
China-Based Hacking Group Indicted for 2015 Data Breach of Health
May 10, 2019
A federal grand jury returned an
indictment unsealed today in Indianapolis, Indiana, charging a Chinese
national as part of an extremely sophisticated hacking group operating
in China and targeting large businesses in the United States, including
a computer intrusion and data breach of Indianapolis-based health
insurer Anthem Inc. (Anthem).
Assistant Attorney General Brian A. Benczkowski of the Justice
Department’s Criminal Division, U.S. Attorney Josh Minkler for the
Southern District of Indiana, Assistant Director Matt Gorham of the
FBI’s Cyber Division and Special Agent in Charge Grant Mendenhall of the
FBI’s Indianapolis Field office made the announcement.
The four-count indictment alleges that Fujie Wang (王 福 杰 in Chinese
Hanzi), 32, and other members of the hacking group, including another
individual charged as John Doe, conducted a campaign of intrusions into
U.S.-based computer systems. The indictment alleges that the defendants
gained entry to the computer systems of Anthem and three other U.S.
businesses, identified in the indictment as Victim Business 1, Victim
Business 2 and Victim Business 3. As part of this international computer
hacking scheme, the indictment alleges that beginning in February 2014,
the defendants used sophisticated techniques to hack into the computer
networks of the victim businesses without authorization, according to
the indictment. They then installed malware and tools on the compromised
computer systems to further compromise the computer networks of the
victim businesses, after which they identified data of interest on the
compromised computers, including personally identifiable information (PII)
and confidential business information, the indictment alleges.
“The allegations in the indictment unsealed today outline the activities
of a brazen China-based computer hacking group that committed one of the
worst data breaches in history,” said Assistant Attorney General
Benczkowski. “These defendants allegedly attacked U.S. businesses
operating in four distinct industry sectors, and violated the privacy of
over 78 million people by stealing their PII. The Department of Justice
and our law enforcement partners are committed to protecting PII, and
will aggressively prosecute perpetrators of hacking schemes like this,
wherever they occur.”
“The cyber attack of Anthem not only caused harm to Anthem, but also
impacted tens of millions of Americans,” said U.S. Attorney Minkler.
“This wanton violation of privacy will not stand, and we are committed
to bringing those responsible to justice. I would also like to thank
Anthem for its timely and substantial cooperation with our
“This case is significant not only because it showcases the FBI’s cyber
investigative capabilities, but also because it highlights the
importance of FBI and private industry relationships,” said Assistant
Director Matt Gorham. “Because the victim companies promptly notified
the FBI of malicious cyber activity, we were able to successfully
investigate and identify the perpetrators of this large-scale, highly
sophisticated scheme. The FBI is committed to investigating
cyber-attacks that compromise American industry and the American people.
As we did in this case, we will work side by side with victim companies
to ensure justice is served.”
"Anthem's cooperation and openness in working with the FBI on the
investigation of this sophisticated cyber-attack was imperative in
allowing for the identification of these individuals. This also speaks
to the strong partnerships the FBI has with the private sector, as well
as the tenacity and global reach of the Bureau," said Special Agent in
Charge Grant Mendenhall. "It should also be noted that the speed with
which Anthem initially notified the FBI of the intrusion on their
networks was also a key factor in being able to determine who was
responsible for the breach and should serve as an example to other
organizations that might find themselves in a similar situation."
The indictment further alleges that the defendants then collected files
and other information from the compromised computers and then stole this
data. As part of the computer intrusion and data breach of Anthem, the
defendants identified and ultimately stole data concerning approximately
78.8 million persons from Anthem’s computer network, including names,
health identification numbers, dates of birth, Social Security numbers,
addresses, telephone numbers, email addresses, employment information
and income data, according to the indictment.
Wang and Doe are charged with one count of conspiracy to commit fraud
and related activity in relation to computers and identity theft, one
count of conspiracy to commit wire fraud, and two substantive counts of
intentional damage to a protected computer.
According to the indictment, the defendants used extremely sophisticated
techniques to hack into the computer networks of the victim businesses.
These techniques included the sending of specially-tailored
“spearfishing” emails with embedded hyperlinks to employees of the
victim businesses. After a user accessed the hyperlink, a file was
downloaded which, when executed, deployed malware that would compromise
the user’s computer system by, in pertinent part, installing a tool
known as a backdoor that would provide remote access to that computer
system through a server controlled by the defendants.
The defendants sometimes patiently waited months before taking further
action, eventually engaging in reconnaissance by searching the network
for data of interest, according to the indictment. This data included
PII and confidential business information. The indictment alleges that
the defendants accessed the computer network of Anthem without
authorization for the purpose of conducting reconnaissance on Anthem’s
enterprise data warehouse, a system that stores a large amount of PII,
on multiple occasions in October and November 2014.
The indictment further alleges that once the data of interest had been
identified and located, the defendants then collected the relevant files
and other information from the compromised computers using software
tools. The defendants then allegedly stole the data of interest by
placing it into encrypted archive files and then sending it through
multiple computers to destinations in China. The indictment alleges that
on multiple occasions in January 2015, the defendants accessed the
computer network of Anthem, accessed Anthem’s enterprise data warehouse,
and transferred encrypted archive files containing PII from Anthem’s
enterprise data warehouse from the United States to China.
Finally, the defendants allegedly then deleted the encrypted archive
files from the computer networks of the victim businesses, in an attempt
to avoid detection. In late January 2015, the defendants deleted certain
archive files containing PII that they had previously transferred from
Anthem’s enterprise data warehouse.
Wang is specifically alleged to have controlled two domain names
connected to the criminal activity. According to the indictment, one of
these domain names was associated with a backdoor used in the intrusion
victimizing Victim Business 1, and the other was associated by Wang with
a server used to create an email account used to conduct spearfishing
attacks against employees of Victim Business 3.
This case was investigated by the FBI’s Indianapolis Field Office.
Senior Counsel William A. Hall, Jr. of the Criminal Division’s Computer
Crime and Intellectual Property Section and Assistant U.S. Attorney and
Deputy Chief of the General Crimes Unit Steven D. DeBrota of the
Southern District of Indiana are prosecuting the case. Significant
assistance was provided by the Justice Department’s National Security
Division and the Criminal Division’s Office of International Affairs.
Charges contained in an indictment are merely allegations, and the
defendants are presumed innocent until proven guilty beyond a reasonable
doubt in a court of law.