Government Warns Of ‘Imminent Cybercrime Threat To U.S. Hospitals’
‘We’re aware of multiple hospitals that have had to reroute patients to other hospitals. And so you think about it from a human perspective, the ramifications are tremendous here. You’re potentially dealing with real impact to human lives or at least patient care to people that really need it, especially during this pandemic,’ FireEye Mandiant CTO Charles Carmakal tells CRN.
A “brazen” gang of Eastern European cybercriminals has hit more than three U.S. hospitals with ransomware this week, attacks that have prompted the hospitals to reroute ambulances and “reroute patients,” said Charles Carmakal, CTO of FireEye Mandiant.
“We’re aware of multiple hospitals that have had to reroute patients to other hospitals,” Carmakal told CRN. “And so you think about it from a human perspective, the ramifications are tremendous here. You’re potentially dealing with real impact to human lives or at least patient care to people that really need it, especially during this pandemic.”
A joint cybersecurity advisory published Tuesday by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Department of Health and Human Services (HHS) said the virus is a strain of Trickbot malware, “often leading to ransomware attacks, data theft and the disruption of health-care services.”
“CISA, FBI and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and health-care providers,” the advisory stated. “CISA, FBI and HHS are sharing this information to provide warning to health-care providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”
According to cybersecurity blogger Brian Krebs, the Department of Health and Human Services hosted a call for hospital executives Wednesday that contained the same warning of a “credible” and “imminent cybercrime threat to U.S. hospitals and health-care providers.”
FireEye Mandiant’s Carmakal said near the outset of the COVID-19 pandemic, some ransomware syndicates publicly declared hospitals off-limits, but the threat to human life only seems to entice this group, dubbed UNC1878.
“They have clearly crossed any lines that most threat actors have set,” he said.
Three hospitals have been locked up with ransomware in the past week. According to several local news reports, the hospitals are part of St. Lawrence Health Systems in upstate New York. Another hospital was reportedly locked with ransomware in Oregon Tuesday.
“It’s probably the most urgent ... cybersecurity news that we’ve shared with anybody in the last nine years that I’ve been at this company,” Carmakal told CRN. “What we’re dealing with right now is a very brazen threat actor that is deliberately targeting hospital organizations in an attempt to make money.”
Kevin McDonald, chief information security officer at Alvaka Networks, an Irvine, Calif.-based solution provider, said the crime syndicates know that from the minute they strike, the clock is on their side.
“Patients don’t have time to wait for treatment,” he said. “In some cases, you can’t wait for that blood test, you can’t wait for that CT scan. Therefore, the hospitals and the insurance providers are going to be much more likely to pay much more quickly than they would be if it were a widget manufacturer.”
UNC1878 is a “financially motivated” group that operates in Eastern Europe, said Carmakal, adding that his team has been following its activity for years.
“We’re very familiar with them,” he said.
In these attacks on hospitals, it appears that UNC1878 coordinated with other bad actors who conducted the phishing phase of the campaign and, once it was successful, UNC1878 took control of the attack.
“This group is the one that tends to escalate privileges,” Carmakal said. “Once they have access to that first system, they move laterally and escalate privilege some more. They look for critical infrastructure, or critical servers, within the organization. They look for backup systems. They deliberately destroy backup systems in an effort to make it more difficult for your organization to recover from the incident. And what they’ll do is very broadly deploy and encrypt your system across as many servers, workstations and laptops as they possibly can.”
Some of the hospitals have shut down their networks to stop the virus from spreading, Carmakal said, which has caused ambulances to be rerouted and patients to be moved. Last month a German hospital was hit by ransomware, forcing it to cancel the surgery of a Düsseldorf woman and transfer her nearly 20 miles to another hospital. She died during the trip, in what authorities there called the first case of a death linked directly to ransomware.
Mark Essayian, president of KME Systems in Lake Forest, Calif., said the U.S. attack, which also caused ambulances to be rerouted, is the same only in this case it appears no one was hurt.
“It is one step removed from an act of war,” he told CRN. “This is intentional. They know that people are going to die. We have to stop these entities from harming American citizens.”
To help, FireEye has published some of what it knows about the gang, including indicators of compromise that show the common subject lines in phishing emails, as well as tactics that hospitals can use to harden their systems against attack.
“We’ve been tracking them for several years now,” Carmakal said. “We hope that we’re helping hospitals, but really all organizations across all sectors right now that have been actively targeted by this group, we’re sharing the indicators of compromise related to this group. We’re sharing very deep, detailed information around how they conduct their operations—the tools, the tactics, the procedures that they use.”