Russian hackers are targeting hundreds of US hospitals and healthcare providers just as the coronavirus is making a comeback and the US presidential election is in its final stretch, officials from three government agencies and the private sector are warning.
The hackers typically use the TrickBot network of infected computers to penetrate the organizations and after further burrowing into their networks deploy Ryuk, a particularly aggressive piece of ransomware, a joint advisory published by the FBI, Health and Human Services, and the Cybersecurity & Infrastructure Security agency said.
“CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers,” Wednesday evening’s advisory stated. “CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”
Security firm Mandiant said much the same in its own notice, which provided indicators of compromise that targeted organizations can use to determine if they were under attack.
Mandiant Senior VP and CTO Charles Carmakal said in an email to reporters that the targeting was “the most significant cyber security threat we’ve ever seen in the United States.” He went on to describe the Russian hacking group behind the plans as “one of the most brazen, heartless, and disruptive threat actors I’ve observed over my career.” Already several hospitals have come under attack in the past few days, he said.
“The intention by the threat actor is to hit hundreds of other organizations out there,” he said in an interview. “Most threat actors don’t want to deliberately hit hospital organizations. There’s an ethical line and they choose not to cross it. This particular actor, they have no problem crossing the line. They’re actively targeting healthcare and hospital organizations.”
There are reports of a handful of hospitals that have been hit with cyber attacks over the past few weeks. CNN said it had confirmed that “Universal Health Services, a hospital health care service company based in Pennsylvania; St. Lawrence Health Systems in New York; and the Sky Lakes Medical Center in Oregon were all infected over the past few days.”
Two weeks ago, Microsoft and a host of industry partners took coordinated action to disrupt TrickBot. In a first wave, the partners shut down 62 of 69 command-and-control servers known to be used by the group. When the hackers responded by spinning up 59 new servers, the partners took down all but one. The blows kept the TrickBot operators scrambling to keep the botnet alive.
Microsoft said it took action to protect the US election systems from crippling ransomware attacks in the lead-up to the elections. The New York Times reported that the disruption worked both ways, because it hampered some of the methods researchers have used in the past to track the group.
“The challenge here is because of the attempted takedowns, the TrickBot infrastructure has changed and we don’t have the same telemetry we had before,” the Times quoted Alex Holden, founder of Milwaukee-based Hold Security, as saying. The targeting of hundreds of hospitals indicated the group was using new tactics. Among the new tactics: targeting routers and other types of Internet-of-things devices, which are much harder to bring down.
With both the public and private sectors warning of a grave threat to a critical infrastructure at a crucial time, people in the healthcare industry would do well to check logs, install patches, educate employees about phishing attacks, and take other precautions. The above-linked US government and Mandiant posts also provide a host of actionable advice.
“If you are in #healthcare, you can’t afford to ignore this,” security firm Giga Systems tweeted. “This is not a drill. You are under attack.”