Healthcare Orgs Targeted by Phishing Attacks During COVID-19 Pandemic
Healthcare organizations are doing all they can to care for those who have fallen ill to coronavirus 2019 (COVID-19). With that said, one would think digital attackers would not target entities in the healthcare industry. Some of these nefarious individuals have agreed to do so. Back in mid-March, for instance, the operators of several high-profile ransomware families told Bleeping Computer that they would stop targeting health-related entities (if they had done so in the past). They also informed the computer self-help site that they would issue a free decryptor if they infected one of these types of organizations by mistake.
It remains to be seen whether these malicious actors will keep their word. In the meantime, other digital criminals are less concerned about selecting their targets in these extraordinary times. The Federal Bureau of Investigations (FBI) released a flash alert in mid-April in which it revealed that nefarious individuals were actively involved in targeting U.S. medical providers with phishing campaigns and other email attacks. These operations have claimed numerous victims. Some of them even made headlines.
A few of those security incidents are presented below.
Brno University Hospital
ZDNet revealed on March 13 that the Brno University Hospital in the Czech Republic had suffered a digital attack. Shortly after malware succeeded in infecting the network at around 5 am local time, the hospital’s public announcement system instructed all personnel to shut down their workstations. The system repeated this message every half hour until 8 am local time, when it announced that all surgeries were canceled.
The attack also affected two other branches of Brno University Hospital, the Children’s Hospital and the Maternity Hospital.
After arranging to divert acute patients to the nearby St. Anne's University Hospital, officials at Brno University Hospital turned its attention to investigating what happened. The organization’s IT staff were collaborating with the Czech National Cyber Security Center (NCSC) and the Czech police (NCOZ) on this effort at the time of ZDNet’s reporting.
U.S. Health and Human Services Department
As reported by Bloomberg in mid-March 2020, the U.S. Health and Human Services (HHS) Department suffered a digital attack on its computer systems. Malicious actors didn’t succeed in infiltrating the Department’s network as a result of the incident, HHS Secretary Alex Azar said in a White House briefing, nor did it significantly degrade the network’s functionality. The attack’s attempt to slow the network with millions of hits ran up against the “extra protections” put in place by HHS when the agency began preparing its response to the coronavirus pandemic.
A U.S. official told Bloomberg they suspected that a foreign actor was responsible for the digital attack. That being said, the administration had not publicly disclosed the identity of the offender at the time of writing.
World Health Organization
Digital security expert Alexander Urbelis was responsible for alerting Reuters about an attempted intrusion at the World Health Organization (WHO). Urbelis detected the malicious activity on March 13 when he spotted a malicious website that appeared to be impersonating the WHO internal email system. A closer look revealed that threat actors were abusing the site in an attempt to steal multiple agency staffers’ passwords.
Fortunately, no one replied to the attack email messages sent out by the attackers.
Urbelis told Reuters that he wasn’t exactly sure who was responsible for the attack against WHO. However, he did say that he suspected that a well-known threat group called “DarkHotel” might have been behind the campaign.
Hammersmith Medicines Research
In their correspondence with Bleeping Computer, the handlers of Maze ransomware said that they would “…stop all activity versus all kinds of medical organizations until the stabilization of the situation…” pertaining to the coronavirus.
They might have already gone against their word, however.
ComputerWeekly.com revealed that digital attackers had used Maze ransomware to target Hammersmith Medicines Research (HMR), a clinical research organization based in London. These nefarious individuals went a step further and published the personal information of thousands of former patients of the entity, which performs early vaccine trials for viruses such as COVID-19, when HMR didn’t pay the ransom. Some of those records dated back 20 years.
This attack occurred just days after the Maze gang promised to not target healthcare entities.
Meadville Medical Center
On March 26, Meadville Medical Center (MMC) in Pennsylvania suffered an infection of an undisclosed malware family. IT professionals at the hospital responded by taking down the organization’s computer systems and hiring a third-party forensics firm to determine what happened. Through this effort, MMC learned it was safe to bring its electronic medical records (EMR) system back online on March 31.
The recovery of MMC’s remaining systems took a bit longer. As of mid-April, at least some personnel at the medical center were using their personal Gmail accounts instead of their work accounts to send email, Meadville Tribune learned. The hospital also confirmed in a statement that it was using “downtime procedures” while it worked to recover from the attack.
Beaumont Health System
Beaumont Health System announced in mid-April that it had suffered an email security incident in 2019. As reported by FOX 2, the security incident was the result of a third party having gained access to the accounts of some of the employees at Beaumont, Michigan’s largest healthcare system. Those email accounts contained sensitive patient information including names, dates of birth, diagnoses and prescription details.
An investigation launched by Beaumont Health System determined that malicious actors had accessed those employees’ email accounts between May 23, 2019 and June 3, 2019. The effort uncovered no evidence that those responsible for the breach had stolen anyone’s information. Even so, the organization took the precautionary step of issuing notices to individuals whom the data breach might have affected.
Improving the Security Defenses of Your Healthcare Organization
Flavius Plesu, founder and CEO of human risk intelligence firm OutThink, feels that there are plenty of digital attackers out there who see one thing and one thing only when they look at the coronavirus pandemic. As he told ZDNet:
At times of crisis, hackers see opportunity. At times of increased risk, security teams must be extra vigilant and understand that the risk of a cyberattack is much higher than usual as hackers try to take advantage of tired, overstretched staff that potentially have their guards down.
Security teams can minimize this risk by continuing their organization’s ongoing security awareness training program. But given the stress that many employees and organizations are now grappling with under these extraordinary times, infosec personnel need to invest in security measures that will give employees an added advantage. Such measures should be capable of analyzing incoming email messages for patterns, URLs, IP addresses, malware signatures and other indicators that are associated with known attack campaigns. Those controls should be able to detect these indicators in real-time, all while allowing legitimate correspondence to reach their intended destination. While they’re at it, infsec teams should endeavor to make employees’ inboxes as secure as possible by implementing best practices such as encryption.