Targeted Cyber Attacks on Healthcare Increase During COVID Crisis

Targeted Cyber Attacks on Healthcare Increase During COVID Crisis

Richard Staynings
By Richard Staynings, Chief Security Strategist and Cybersecurity Evangelist

Cyber criminals and pariah nation-states are taking advantage of the disruption caused by the pandemic to run amok.

Few actions raise the question of ethics more than a lawyer chasing an ambulance leaving a road traffic accident, or a hacker targeting a hospital during a global pandemic crisis, but the latter is precisely what has been happening since February.
The public and government officials alike are outraged that cyber criminals would target health systems during a time of global pandemic crisis.
According to Tonya Ugoretz, Deputy Assistant Director of the FBI Cyber Division, "there was this brief shining moment when we hoped that, you know, 'gosh cybercriminals are human beings too,' and maybe they would think that targeting or taking advantage of this pandemic for personal profit might be beyond the pale. Sadly, that has not been the case," she reported.

Increase in Cyber Attacks Against Healthcare

Photo: H. Shaw

As our brave doctors and nurses fight each day to save the lives of those infected with the coronavirus, hackers and pariah nation-states are taking advantage of the chaos in our medical systems to break into health and research centers working on a vaccine or cure. Ironically, both the virus and many of those engaged in the theft of research into a vaccine appear to come from the same country.

Between February and May of this year, there have been 132 reported breaches into healthcare entities, according to the HHS. This is almost a 50% increase in reported breaches during the same time last year. Perpetrators appear to be taking advantage of a distracted, often remote, and easily susceptible workforce to gain access to hospital networks through insecure medical devices and other linked healthcare IoT systems.

"These systems are notoriously difficult to secure and are an acknowledged cybersecurity risk," claimed Tim Ozekcin, CEO of biomedical security company, Cylera.

The World Health Organization has reported a 500% increase in cyberattacks on its systems during the spread of the Coronavirus pandemic through April compared with the same period last year, and has been dealing with a major email security breach, while at the same time trying to deal with the largest global pandemic to appear in over a century.

During the same period of time, the FBI’s Internet Crime Complaint Center, known as the IC3, has been swamped with 3 to 4 times the usual number of calls each day, citing that the number of reported cyber crimes has quadrupled the amount compared to last year

So far this year, the U.S. Department of Health and Human Services has investigated 177 data-breach incidents at medical organizations, nearly double the 91 under investigation in the same period in 2019.

Photo: CDC

Medical Research Targeted 

Most alarmingly though, is a spate of targeted ransomware attacks against medical research facilities.

In March, hackers swarmed two websites belonging to the Paris hospital authority, known as AP-HP. In the same month, a number of Czech hospitals and medical research centers were also attacked, by as of yet unknown perpetrators in what is thought to be a combined infiltration-theft and ransomware attack. The latter attack breached one of the major Czech COVID-19 testing laboratories at Brno University Hospital in Moravia.

According to Reuters, “The country’s NUKIB cybersecurity watchdog said the attacks, were designed to damage or destroy victims’ computers by wiping the boot sector of hard drives.”

The similarity with Russian GRU attacks against Ukrainian and other targets last year would tend to indicate nation-state involvement based upon the boot sector wiping first attributed to the Russian GRU's 'Not Petya' attacks in June 2017.

A Need to Take Action

In a letter this week, signed by international political and business leaders, the International Committee of the Red Cross called for governments to take “immediate and decisive action” to punish cyber attackers. 

“There are more and more cyberattacks [...] on the healthcare sector and unless there are really strong measures taken, they will continue,” said Cordula Droege, chief legal officer at the ICRC. “What we’re seeing at the moment are still indications of how devastating it could be.”

Also this week, NATO, issued a statement condemning the malicious cyber activities.

"These deplorable activities and attacks endanger the lives of our citizens at a time when these critical sectors are needed most, and jeopardize our ability to overcome the pandemic as quickly as possible."

Invoking its founding principle of Collective Defense and its more recent Cyber Defense Pledge, NATO confirmed that it is ready to take action against the perpetrators of these cyber attacks.


Photo: Lianhao Qu

Opportunistic Rise in Creative Cyber-Crime 

The US FTC has reported that approximately $12 million has been lost due to Corona-virus-related scams since January. But it’s not just the US that has been targeted. One man in Singapore tried to abscond with €6.64 million from a European pharmaceutical company after taking an order for surgical masks and hand sanitizer that he had no intention of delivering. Thanks to the quick actions of Interpol and Singapore authorities the money was returned and the man arrested.

Hundreds of fake domains have been registered by criminals with names to entice the unsuspecting to click a link to a Coronavirus news site, health and well-being site, or to a charity site supporting everything from animal shelters for abandoned pets to food banks for the suddenly unemployed. At least one has even attempted to purport to be part of the US Centers for Disease Control in Atlanta, Georgia otherwise known as the CDC.

Furthermore a whole range of fraudulent websites have been setup to supply N95 masks, rubber gloves, and other personal protective equipment (PPE) where users place an order never to see any goods – only fraudulent transactions on their credit cards. Many hospitals have also been defrauded in similar ways, receiving sub-par equipment or received none at all. Much of this was ordered from Mainland Chinese manufacturers, that could not be used and had to be disposed of since it didn't meat medical standards.

Perpetrators also know that thanks to better data backup procedures following WannaCry, victims have comprehensive and disconnected backups of their data to avoid paying ransoms. (Paying ransoms is actually illegal in many jurisdictions). To circumvent this, criminals are now executing combined infiltration-theft extortion attacks, as was seen in the Czech Republic. Non-Public data is exfiltrated as part of the attack and when the ransomware clock runs out without a payment being made, a perpetrator will release some protected data to the public internet along with a second extortion payment demand, threatening further release of more regulated PII and PHI data. This is similar to a recent REvil Attack against a Los Angeles celebrity law firm that claimed to have masses of dirty laundry on Donald Trump as well as contracts and other documents for celebrity clients.

Intellectual property theft at hospitals and research institutes working on investigation of the virus or potential vaccines for COVID-19 has been especially rife, particularly from so-called international partners, some of whom may have been already compromised. More than one nation-state-actor is focused on gathering information about the response of US states to the ongoing pandemic and the progress of the research on vaccines.

“We’re very concerned now that we have these very sophisticated actors - nation-states, particularly China and Russia - targeting Covid-19 research, treatment protocols and vaccine development,” said John Riggi, Strategic Advisor for Cybersecurity and Risk at the American Hospital Association.

According to officials at a number of leading academic medical centers, the warning to watch out for potential theft of intellectual property by such nation-state actors has been transmitted throughout the industry.

"Its like we're fighting two battles at the same time - the Covid-19 pandemic and defending against an escalation in cyber attacks against healthcare, " claimed Chad Wilson, CISO of Stanford Children's Hospital.

Learn how cybersecurity is responding to this increase in threats.

Get Updates

Sign up to receive the
latest news from Cylera.

window.lintrk('track', { conversion_id: 14567298 });