Symantec today published a whitepaper on a highly resourceful cyberespionage group called Black Vine that has been operating since 2012. 

Symantec believes that Anthem breach was just one of the multiple attacks by this group. Earlier this year, Anthem, the second largest health insurance provider in the US publicly disclosed that it had been the victim of a major cyberattack. The attack against Anthem resulted in the largest known healthcare data breach to date, with 80 million patient records exposed. The group has access to zero-day exploits, most likely obtained through the Elderwood framework, and uses custom-developed back door malware. By connecting multiple Black Vine campaigns, we traced how the attack group has evolved over the last three years.

Black Vine has compromised companies in the following industries:

• Aerospace
• Healthcare
• Energy (gas & electric turbine manufacturing)
• Military and defense
• Finance
• Agriculture
• Technology

The vast majority of Black Vine malware infections were located in the US, followed by China, Canada, Italy, Denmark, and India.

Protection 

Symantec has the following detections in place to protect against Black Vine’s malware:

Antivirus 

• Backdoor.Mivast
• Trojan.Sakurel

Intrusion prevention system 

• System Infected: Trojan.Sakurel Activity

Conclusions 

Black Vine is a formidable, highly resourced attack group which is equipped to conduct cyberespionage against targeted organizations. Based on its record of past activities,Symantec believes that Black Vine’s malicious activity will continue.

We hope that our whitepaper will allow organizations to better understand the risk that this attack group poses, helping them to develop stronger defenses for their sensitive information.