Cyber-criminals and pariah nation-states are taking advantage of the disruption caused by the pandemic to run amok.
Few things elicit the question of ethics than a lawyer chasing an ambulance leaving a road traffic accident or a hacker targeting a hospital during a global pandemic crisis, but the latter is precisely what has been happening since February.
The public and government officials alike, are outraged that cyber criminals would target health systems during a time of global pandemic crisis.
Increase in Cyber Attacks Against Healthcare
As our brave doctors and nurses fight each day to save lives those infected with the coronavirus, hackers and pariah nation-states fight each day to break into our health systems and research centers working on a vaccine or a cure. Ironically, both the virus and many of those engaged in the theft of research into a vaccine appear to come from the same country.
Between the months of February and May of this year, there have been 132 reported breaches of healthcare covered entities, according to the HHS. This is an almost 50% increase in reported breaches during the same time last year. Perpetrators appear to be taking advantage of a distracted often remote workforce easily susceptible to phishing and other scams, or gaining access to hospital networks through insecure medical devices and other healthcare IoT systems. "These systems are notoriously difficult to secure and are an acknowledged cybersecurity risk," claimed Tim Ozekcin, CEO of biomedical security company, Cylera.
In a letter this week signed by international political and business leaders, the International Committee of the Red Cross called for governments to take “immediate and decisive action” to punish cyber attackers.
“There are more and more cyberattacks...on the healthcare sector and unless there are really strong measures taken, they will continue,” said Cordula Droege, chief legal officer at the ICRC. “What we’re seeing at the moment are still indications of how devastating it could be.”
Also this week, NATO, issued a statement condemning the "destabilising and malicious cyber activities directed against those whose work is critical to the response against the pandemic, including healthcare services, hospitals and research institutes. These deplorable activities and attacks endanger the lives of our citizens at a time when these critical sectors are needed most, and jeopardise our ability to overcome the pandemic as quickly as possible."
Invoking its founding principle of Collective Defense and its’s more recent Cyber Defence Pledge, NATO confirmed that it is ready to take action against the perpetrators of these cyber attacks.
"Reaffirming NATO's defensive mandate, we are determined to employ the full range of capabilities, including cyber, to deter, defend against and counter the full spectrum of cyber threats," NATO said.
The World Health Organization has reported a 500% increase in cyberattacks on its systems during the spread of the Coronavirus pandemic through April compared with the same period last year, and has been dealing with a major email security breach at the same time while trying to deal with the largest pandemic to hit the world on over a century.
So far this year, the U.S. Department of Health and Human Services has investigated 177 data-breach incidents at medical organizations, nearly double the 91 under investigation in the same period in 2019.
Opportunistic Rise in Cyber-Crime
Cyber-crime appears on the rise everywhere while most of us are out of our comfort zone working from home or otherwise disrupted. According to the FBI, the number of reported cybercrimes has quadrupled for the period of December - April compared to the same period last year. The FBI’s Internet Crime Complaint Center, known as the IC3, has been swamped with 3 to 4 times the usual number of calls each day as COVID-19 spread across the United States.
According to Tonya Ugoretz, Deputy Assistant Director of the FBI Cyber Division, "there was this brief shining moment when we hoped that, you know, 'gosh cybercriminals are human beings too,' and maybe they would think that targeting or taking advantage of this pandemic for personal profit might be beyond the pale. Sadly, that has not been the case," she reported.
The US FTC has reported that approximately $12 million has been lost due to Corona-virus-related scams since January. But it’s not just the US that has been targeted either. One man in Singapore tried to abscond with €6.64 million from a European pharmaceutical company after taking an order for surgical masks and hand sanitizer that he had no intention of delivering. Thanks to the quick actions of Interpol and Singapore authorities the money was returned and the man arrested.
Hundreds of fake domains have been registered by criminals with names to entice the unsuspecting to click a link to a Coronavirus news site, health and well-being site, or to a charity site supporting everything from animal shelters for abandoned pets to food banks for the suddenly unemployed. At least one has even attempted to purport to be part of the Centers for Disease Control in Georgia otherwise known as the CDC. And a whole range of fraudulent websites have been setup to supply N95 masks, rubber gloves and other personal protective equipment (PPE) where users place an order never to see any goods – only fraudulent transactions on their credit cards. Many hospitals have also been defrauded in similar ways, receiving sub-par equipment from primarily Mainland Chinese manufacturers that could not be used and had to be disposed of, or received none at all.
Intellectual property theft especially at hospitals and research institutes working on investigation of the virus or potential vaccines for COVID-19 has also been rife, especially from so-called international partners, some of whom may have been already compromised. Nation-state-actors are focused on gathering information about the response of US states to the ongoing pandemic and the progress of the research on vaccines with more than one nation-state appearing to be involved.
“We’re very concerned now that we have these very sophisticated actors - nation-states, particularly China and Russia - targeting Covid-19 research, treatment protocols and vaccine development,” said John Riggi, Strategic Advisor for Cybersecurity and Risk at the American Hospital Association.
The message to watch out for potential theft of intellectual property has gone out right across the industry, especially by sophisticated nation-state actors according to officials at a number of leading academic medical centers. "Its like we're fighting two battles at the same time - the Covid-19 pandemic and defending against an escalation in cyber attacks against healthcare, " claimed Chad Wilson, CISO of Stanford Childrens' Hospital.
Medical Research Targeted
Most alarmingly though, is a spate of targeted ransomware attacks against medical research facilities. In March, hackers swarmed two websites belonging to Paris’s hospital authority, known as AP-HP. In the same month, a number of Czech hospitals and medical research centers were also attacked, by as yet unknown perpetrators in what is thought to be a combined infiltration-theft and ransomware attack. The latter attack breached one of the major Czech COVID-19 testing laboratories at Brno University Hospital in Moravia. According to Reuters,“The country’s NUKIB cybersecurity watchdog said the attacks, were designed to damage or destroy victims’ computers by wiping the boot sector of hard drives.” The similarity with Russian GRU attacks against Ukrainian and other targets last year would tend to indicate nation-state involvement based upon the boot sector wiping first attributed to the Russian GRU's 'Not Petya' attacks in June 2017.
Colorado Medical Center Hit
But ransomware attacks against hospitals have hit closer to home. At least one US hospital was hit recently by ransomware that encrypted its entire EMR system and its local backups. This was not a random broadcast attack but one carefully crafted against a known Pueblo, Colorado hospital late on some of its patching of perimeter devices.
This represents a daring escalation by cyber extortionists and risks a very real response by the United States. A mere two days before Parkview was hit, Mike Pompeo, US Secretary of State warned that there would be "zero tolerance" for such attacks.
"As the world battles the COVID-19 pandemic, malicious cyber activity that impairs the ability of hospitals and healthcare systems to deliver critical services could have deadly results," Pompeo said. "Anyone that engages in such an action, should expect consequences," he added.
Drawing a Line in the Sand
Whether the pandemic cyber-attacks are just highly opportunistic criminals with no moral compass, or are a deliberate escalation of the hybrid warfare executed by a few pariah nation-states that have been pushing the boundaries of acceptability over the past few years, the perpetrators are treading on very dangerous ground.
Attacks against national critical infrastructure risk a very different kind of response from governments the world over. Just over a year ago, the Israeli Defense Forces (IDF) dealt a very firm blow to known perpetrators of cyber-crime who were planning an attack on Israel with an airstrike that wiped out HamasCyberHQ flattening the building and all inside before the attack could take place.
The US has also taken out a number of cybersecurity adversaries with drone launched hellfire missile attacks in Syria over the past few years. In fact, the US has reserved the right to retaliate against cyber-attacks with military force since 2011. The lifelong prospects therefore, for those cybercriminal elements that deliberately target US hospitals and medical research facilities obviously don't look too good.
Whether and how the US and other countries decide to respond to attacks against life-sustaining critical infrastructure like hospitals and healthcare research is a topic of hot debate. One issue is the problem of attribution. It's difficult to positively attribute an attack to an individual or a group especially when more sophisticated attackers are good at covering their tracks or leaving breadcrumbs that point to others. Its also time-consuming, meaning that many years can go by before the culprit of an attack can be finally identified and dealt with.
Once identified, however, there are a wide range of options open to governments, extradition being only one of them. The international rule of law is opaque at best and needs to meet different standards and evidentiary bars in each country and its respective legal system. Even then, some people are considered beyond the law due to their connections. Some countries, notably Russia and the communist block, lack extradition treaties with the rest of the world. Going after perpetrators via legal means in the Peoples Republic of China or North Korea is also senseless as they usually operate at the behest of the state, unlike Russia that employs freelance proxies in order to claim plausible deniability. Therefore, governments sometimes need to employ other methods, as Bobby Chesney the co-founder of the Lawfare blog and a very highly respected figure in US national security circles, explained during a recent podcast.
According to Chesney, there are many perfectly legal avenues for US government agencies to pursue in the apprehension of cybercriminals that dare go after critical US Infrastructure, especially at a time of declared national emergency. "There is an unpublished line in the sand that if crossed could mean significant consequences for those that do" he claims.
That includes a wide range of punitive measures including black ops, as Roman Seleznev the son of a close Putin ally who was widely regarded as being beyond the law in Russia found out in 2017. Renditioned to the USA, tried and convicted of cybercrimes in at least two different states, Seleznev has the next 27 years to look forward to as a guest of the US prison service.
A Change of Focus
Recognizing that not all cyber attacks can be prevented, many CISOs are focusing more of their attention on the Detect, Response and Recover segments of the NIST CSF. Their focus is on limiting damage and restoring functionality as quickly as possible to minimize impact. "Every minute a critical hospital system is down could mean patient lives, so speedy restoration is critical," claimed Esmond Kane, CISO of Steward Health. "The fact that a breach occurred or a perpetrator was able to gain access to the network and HIT systems, is of secondary concern once systems are back up and running. We have to deal with that later" he adds.
Recovery from Attack
In order to turn the lights back on and restore systems following a cyberattack, a hospital must first eradicate all traces of the ransomware and other malware, then carefully restore data from off-site backup tapes or cloud storage. First, however, the malicious exploit and ransomware code must be identified, forensically preserved by law enforcement for later prosecution of perpetrators, and systems cleaned up and formatted. This can be very time consuming, taking many days and of course, will impact patient care and safety.
Perpetrators also know that thanks to better backup procedures following WannaCry, victims have comprehensive and disconnected backups of their data to avoid paying ransoms which would be illegal in many jurisdictions. Hence they are now executing combined infiltration-theft extortion attacks, as was seen in the Czech Republic. Non-Public data is exfiltrated as part of the attack and when the ransomware clock runs out without a payment being made, a perpetrator will release some protected data to the public internet with a second extortion payment demand threatening to release more regulated PII and PHI data. This is similar to a recent REvil Attack against a Los Angeles celebrity law firm that claimed to have masses of dirty laundry on Donald Trump as well as contracts and other documents for celebrity clients.
Containment and Risk Mitigation
While adoption of a ZeroTrust security framework and the implementation of network segmentation will severely limit the lateral spread of malware across a hospital network, one of the greatest recovery problems is the identification of sleeper malware or extraneous communications by that malware to command and control severs. "That's where Cylera’s MedCommand software comes into its element" claimed Michael Archuleta, CIO of Mt. San Rafael Hospital in Trinidad, CO, "It can quickly identify suspicious network traffic and trace that traffic back to malware that can then be eradicated from the network so that restoration of Health IT systems can commence."
It's just one more use of the Cylera MedCommand system in addition to its primary objective of identifying healthcare IoT (HIoT) connected assets, profiling, and risk assessing them for security group tag allocation and for network micro-segmentation under Zero Trust. Its also in addition to a recent feature that was added to the software that allows those who are responsible for managing medical devices and other HIoT assets to observe device utilization for better allocation of patients to available devices - something that has become critical when medical devices are short on supply and stretched to capacity under a global pandemic.
More about Cylera MedCommand
Many healthcare IT and Security teams are yet to even gain a full understanding of which medical and IoT devices are connected to their network, much less an understanding of their level of risk and susceptibility to different forms of malware. Cylera’s MedCommand is an agent-less solution designed to fill this capability gap. MedCommand provides organizations with a complete, real-time inventory of all connected HIoT devices, an understanding of the vulnerabilities affecting them, information on their configurations and patch levels, and real-time threat detection tailored to each device. Teams can then make use of Cylera’s actionable recommendations and automated micro-segmentation policy generation to proactively protect HIoT devices and provide a missing layer of security to the devices that need it most.
To learn more about MedCommand and how it may help you identify suspicious traffic on your network contact us to request a demo.