Cyber attacks skyrocket amid pandemic as hackers target health care sectors
Cyber security systems everywhere are struggling to defend against evolving digital threats catalyzed by COVID-19’s far-reaching effects.
State-backed hackers and other cybercriminal groups have ramped up devastating ransomware attacks on health care systems, government organizations, companies and researchers collaborating on coronavirus treatments and vaccines.
The U.S. Department of Homeland Security (D.H.S.), Cybersecurity and Infrastructure Security Agency (C.I.S.A.) and the U.K.’s National Cyber Security Centre (N.S.C.S.) issued a joint warning on April 8 that cybercriminal organizations and advanced persistent threat (A.P.T.) groups — state-sponsored hacking teams — are using the pandemic to target individuals and organizations of all sizes with COVID-19-related scams and ransomware attacks via phishing emails and text messages.
The agencies noted that although they have not seen an overall increase in cybercrime activities, they are witnessing a steep rise in malicious cyber actors channeling their efforts into using coronavirus themes “to prey on people’s appetite for information and curiosity towards the outbreak.” Their report also anticipated that these cyber attacks would increase in severity and frequency during the coming months.
In a similar manner, the International Criminal Police Organization’s (INTERPOL) Cybercrime Threat Response team released a cautionary statement to its 194 member countries that all vital organizations and infrastructure helping to respond to the virus now face significantly higher risks of being bombarded by ransomware attempts, which have grown in complexity, intensity and scope.
Once the pandemic began, many hackers shifted their tactics to now programming these ransomware attacks to gain covert access to an organization’s critical systems, including hospitals and drug manufacturers working on coronavirus treatments and vaccines. They lock entities out of their own systems, virtually holding them hostage and preventing victims from accessing vital files and control of infrastructural processes until ransom payments are made.
Often these malicious cyber actors give a deadline for the victim to pay — some demanding cryptocurrencies such as Bitcoin or Ethereum, which cannot easily be tracked and are not regulated by monetary authorities.
Increased coronavirus phishing attempts
One of the most common ways ransomware attackers gain control of an entity’s cyber security setup is through phishing emails and text messages, which they custom design for their target. Security experts at Google say they have observed more than a dozen A.P.T.s using the pandemic as cover for phishing and malware attempts, while Microsoft recently identified successful cyber-virus attacks embedded across 241 countries and territories with COVID-19-themed phishing attempts.
Phishing tactics primarily act as a reconnaissance and surveillance measure for ransomware’s subsequent assault. A.P.T.s and other cybercriminals rely on manipulating innate human characteristics such as curiosity, anxiety and concern about a topic to draw recipients into completing an action that transmits ransomware onto the target’s phone or computer.
Many phishing emails and text messages try to pose as trustworthy sources such as the World Health Organization, a local government agency or an individual who will introduce themselves with a “Dr.” in their name. They create COVID-19 subject lines and usually try to persuade the recipient to download an app that claims to be a real-time coronavirus outbreak track or something else of interest, when really the attached link is filled with ransomware that locks the owner out of the device and grants the sender full administrative access if clicked.
Already, phishing scams have been used to hack Paycheck Protection Program loans aimed at small business relief.
A growing national security concern
But it wasn’t until recently that ransomware changed from being a simple criminal issue to a major national security concern, Rob Knake, former director of cyber policy for the Obama administration’s National Security Council, told the Council on Foreign Relations.
Warnings of increased malicious A.P.T. activity have also emerged from the Federal Bureau of Investigation. On April 16, F.B.I. Deputy Assistant Director Tonya Ugoretz claimed foreign hackers had broken into several companies hard at work on COVID-19 treatments, saying that state-backed hackers targeting pharmaceutical industries is “certainly heightened during this crisis.”
An updated version of the alert released by C.I.S.A. and N.S.C.S. on May 5 highlights how A.P.T. actors are actively targeting healthcare systems, pharmaceutical companies, academia, medical researchers and governments to “collect bulk personal information, intellectual property, and intelligence that aligns with national priorities” and “steal sensitive research data for commercial and state benefit.” The statement also warns that malicious cyber groups would focus some of their efforts on disrupting national and global supply chains, which could be leveraged to infiltrate more high-value targets that are harder to penetrate.
Then a suspected group of Iranian-backed hackers under the moniker “Charming Kitten” targeted U.S. drugmaker Gilead, a pharmaceutical manufacturer recently touted by President Donald Trump for its announcement of a phase-three trial of the antiviral drug remdesivir for coronavirus patients, according to Reuters. The hackers attempted to sabotage a top executive’s email account by sending a fake email login page intended to steal passwords that were vital to the company’s security and infrastructure. Gilead declined to disclose whether the attack was successful, claiming that company policy prevents it from commenting on security matters to the public.
Another recent cyber intrusion attempt discovered by an Israeli company called Check Point Software Technologies reveals how dangerous and sophisticated these nefarious technologies have become. The firm discovered that a debilitating new hacking software called Aria-body was connected to an A.P.T. called Naikon on May 7. The group — whose origins trace back to the Chinese military — was revealed to have infiltrated state-owned companies and government bodies in the Philippines, Indonesia, Vietnam, Myanmar and Brunei earlier this year.
In Naikon’s most recent attempt, its operatives took remote control of a computer being used by an Indonesian diplomat in Australia’s capital, Canberra, according to the New York Times. They found an unfinished document being worked on by the envoy and completed it with Aria-body embedded discreetly within, before emailing it off to a staff member who works for the premier of Western Australia in the health sector — all while maintaining an appearance of authenticity.
Fortunately for the diplomatic community, the email never reached its intended recipient because the hacker sent it to the wrong address, which immediately raised suspicions once the premier’s office’s servers returned the message with a memo saying the destination could not be found.
Had the document been received and opened, Aria-body’s intrusion would have given its users immensely powerful capabilities. Aria-body can cover up its tracks to avoid detection from cyber systems; its operators know how to alter the malware’s code and move laterally with ease, which means its appearance can be reshaped after attacking a computer system so that the next one in line cannot recognize the same threat. They have the ability to search for files, create or delete them, or copy and encrypt information which can upload to outside servers via untraceable communication lines.
But perhaps the most impressive and worrying aspect of Aria-body’s programming is its ability to duplicate whatever a person types into their computer in real time, which could give A.P.T.s highly accurate insights into how people and organizations think.
The F.B.I., D.H.S. and C.I.S.A. issued a revamped statement on Wednesday condemning computer hackers they claim are associated with China’s government and military — that they pose a “significant threat” to organizations researching COVID-19 treatments and vaccines, although no explicit mention was made of Naikon.
Zhao Lijian, China’s foreign ministry spokesman, denied his government’s involvement with or support of hacking institutions that conduct research on the coronavirus or steal data, claiming China is a world leader in COVID-19 research and victim of cyber attacks, not perpetrator.
Which is partly true: A Silicon Valley-based cyber security firm called FireEye discovered on April 22 that a Vietnamese group known as APT32 was carrying out cyber espionage and data exfiltration campaigns against both China’s Ministry of Emergency Management and Wuhan’s municipal government “from at least January and April 2020 … to collect intelligence on the COVID-19 crisis.” Some international observers pondered whether this partly accounts for Vietnam’s successful coronavirus containment efforts, as well as its economic outlook, which so far appears less hard-hit than most other countries.
Health systems are under increasing attack
Health care systems are particularly vulnerable as they are deluged with coronavirus patients and patient information. Workers need access to vital software and files, making hospital networks easy targets if computers are left in an unsecured state for even a brief moment.
Ransomware attackers have noticed this and taken advantage, becoming much more proficient at launching crippling attacks on hospitals that rely heavily on digital systems to store confidential information for COVID-19 and non-COVID-19 patients.
These electronic health records essentially act as a hospital’s central nervous system, which means health care workers no longer have an easy way to access vital information if cyber actors incapacitate critical functions.
Some hard-hit hospitals that do not have the money to pay ransomware extortion fees — or simply choose not to — are forced into more extreme measures: moving patients to other hospitals, closing down emergency rooms and canceling elective surgeries, according to Caleb Barlow, CEO of CynergisTek, a cyber firm which helps more than 1,000 hospitals secure their data.
Ransomware aimed at Parkview Medical Center in Pueblo County, Colorado, rendered the hospital’s ability to store patient information on April 21 inoperable, forcing staff to revert to a cumbersome paper-and-pen recording system to track and treat patients. Similar cyber attacks on health infrastructure have also been reported within the past two months in France, Spain and Thailand, as well as at Brno University Hospital in the Czech Republic, which contains the country’s largest COVID-19 testing lab.
Hidden cyber dangers loom just as large — if not larger — for the world’s largest multinational health conglomerates as well. In the beginning of May, a new “Snake” ransomware strain assaulted technology systems belonging to Fresenius Group — Europe’s largest private hospital operator — limiting all parts of the company’s operation except for patient care. Security experts said this Snake strain was able to identify IT processes linked to large-scale industrial control systems, such as manufacturing networks, and shut them down.
Fresenius employs more than 300,000 people in over 100 countries across health sectors ranging from hospitals to drugs to 40% of the world’s kidney dialysis centers. The cyber attack destabilized operations in all of them, according to KrebsonSecurity.
This is especially worrisome for the influx of COVID-19 patients who might experience kidney failure on top of other severe symptoms.
How should victims respond to attacks?
Health care systems face a difficult choice in whether to pay their virtual hostage takers; much of it depends on the reliability of their backup systems. Even if ransomware victims do pay off their blackmailers, they can never be certain that their data will be returned to them or that the attacker will refrain from going after them again, according to CynergisTek’s CEO.
“The reality is that you are up against a human adversary that can see what you’re doing. If you pay them, all you’re doing is fueling their coffers to go attack more people. On the other hand, if you don’t pay them, even if you can restore from backup, they likely had access to the data in your system,” he said. “They may now extort you in other ways. For companies that decide not to pay, the bad guys start posting the data.”
The F.B.I., Microsoft and other major entities have said on multiple occasions that ransom demands from cyber attacks should not be paid. Aside from incentivizing future attacks, the overall cost of recovery can double the amount of the ransom that was paid — and come without any easy path back.
These scenarios squeeze health systems into impossible situations because the way they prepare for and respond to ransomware attacks has huge implications for all parties involved: It can literally be the difference between life and death for patients in affected regions.
Questions? Ask us at contact@govsight.com.
Like what you read but prefer to learn with your ears? Listen to The Insight Podcast by GovSight on Apple Podcasts, Spotify or PodBean every Monday.
Follow GovSight on Twitter @GovSight1, Instagram @govsight and Facebook @GovSight. Go to govsight.com to see how GovSight is making “Citizenship. Simplified.”
