Russian hackers target hundreds of U.S. hospitals and healthcare providers just as the coronavirus is making a comeback and the U.S. presidential election is in its final stages, officials from three government agencies and the private sector warn.
The hackers usually use the TrickBot network of infected computers to break into the organizations and use Ryuk, a particularly aggressive ransomware, a joint advisory service from the FBI, Health & Social Services, and the Cybersecurity and Infrastructure Security Department after they persist have dug into their networks agency said.
"CISA, FBI and HHS have credible information about an increased and imminent threat to US hospitals and health care providers from cybercrime," the recommendation said on Wednesday evening. "CISA, FBI and HHS are sharing this information to warn health care providers and ensure they are taking timely and appropriate precautions to protect their networks from these threats."
Security firm Mandiant said this similarly in its own notice, which provided compromise indicators that target organizations can use to determine whether they have been attacked.
Charles Carmakal, senior vice president and CTO of Mandiant, said in an email to reporters that targeting is "the greatest cybersecurity threat we have ever seen in the US." He described the Russian hacking group behind the plans as "one of the most brazen, heartless, and disruptive threat actors I've seen in my career". Several hospitals have been attacked in the past few days, he said.
"The threat actor's intention is to meet hundreds of other organizations out there," he said in an interview. "Most threat actors do not want to hit hospital organizations on purpose. There is an ethical line and they choose not to cross it. With this particular actor, they have no problem crossing the line. They are actively targeting health and hospital organizations."
There have been reports of a handful of hospitals that have been hit by cyber attacks in the past few weeks. CNN said it had confirmed that "Universal Health Services, a Pennsylvania-based hospital health company; St. Lawrence Health Systems in New York; and Sky Lakes Medical Center in Oregon have all been infected for the past few days. "
Two weeks ago, Microsoft and a variety of industry partners took coordinated action to disrupt TrickBot. In a first wave, partners 62 shut down 69 command and control servers known to be used by the group. When the hackers started up 59 new servers, the partners shut down all but one. The blows kept the TrickBot operators busy to keep the botnet alive.
Microsoft said it was taking steps to protect U.S. electoral systems from crippling ransomware attacks before the elections. The New York Times reported that the disorder worked both ways as it interfered with some of the methods researchers had used in the past to track the group.
"The challenge is that the TrickBot infrastructure has changed and we no longer have the same telemetry as before," the Times quoted Alex Holden, founder of Hold Security in Milwaukee. Targeting hundreds of hospitals showed that the group was employing new tactics. New tactics include routers and other types of Internet of Things devices that are much harder to shut down.
With both the public and private sectors warning of a serious threat to critical infrastructure at a crucial time, healthcare workers should review logs, install patches, notify employees of phishing attacks, and take other precautions. The U.S. Government and Mandiant positions linked above also offer a range of actionable advice.
"If you're in #healthcare, you can't afford to ignore it," tweeted security firm Giga Systems. "This is not an exercise. You are under attack."