TheNFAPost Podcast

Chennai, NFAPost: The healthcare sector plays a major role across the world. Though digital revolution in the healthcare industry helps patients, the sector also faces a range of cyber attacks. FireEye, which is the intelligence-led security company, in its recent report, ‘Beyond Compliance: Cyber Threats and Healthcare’ has said that the risk to this sector is consequential.

In some cases, criminals seek to monetize personally identifiable information (PII) and protected health information (PHI); nation states carry out intrusions to steal valuable research and mass records for intelligence gathering purposes; and disruptive threats like ransomware have the potential to wreak havoc among hospital networks and impact the most critical biomedical devices and systems.

Much of what FireEye has observed from such threat actors—particularly those with a nexus to China—appears to driven by an interest in acquiring medical research and collecting large data sets of information, potentially for the purposes of fostering intelligence operations.

The report states that the increasing number of biomedical devices used for critical functions within hospitals and healthcare providers presents a growing security challenge. Furthermore—given their importance and value—a growing willingness by cyber crime, or, in a period of heightened geopolitical tensions, nation state actors—to deploy disruptive and destructive tools may significantly increase the impact from these threats that have been observed to date.

Between October 1, 2018 and March 31, 2019, FireEye Threat Intelligence observed multiple healthcare-associated databases for sale on underground forums, many for under $2000. Notably, according to the vendor descriptions, the timing of these database advertisements did not typically correlate with the timing of a breach. Many of the observed advertisements were for databases that had been compromised in previous months or years.

In addition to directly selling data stolen from healthcare organisations, cyber criminals also often sell illicit access to these organisations in underground markets. This access can enable other actors to perform post-exploitation activity such as obtaining and exfiltrating sensitive information, infecting other devices in the compromised network, or using connections and information in the compromised network to exploit trust relationships between the targeted organisations and other entities to compromise additional networks.

On February 6, 2019, on a popular Russian-language forum, “Jendely” advertised access to a US-based medical institution. According to the advertisement, the actor obtained the domain administrator’s access to the network consisting of 3,000 hosts. The access is being auctioned for $9,000–$20,000. In November 2018, the same actor advertised accesses to networks of multiple US-based companies with over 600 hosts for $15,000 .

Activity by “thedarkoverlord” was initially associated primarily with targeting the healthcare sector by selling access to records and attempted extortion. While thedarkoverlord later diversified targeting to include other sectors, healthcare was still a primary target through the 2017 arrest of several purported members of the group. A limited degree of underground activity by thedarkoverlord resumed in late 2018; however, it is not clear how active thedarkoverlord remains at this time as only a small amount of activity has been observed in 2019, the report pointed out.

The report mentioned that in 2016, 3,96,459 number of records were sold from Atlanta for 300 bitcoins and 2,07,572 records from Central/Midwest for 170 bitcoins.

Cancer-related research

FireEye continues to witness a concerted focus on acquiring healthcare research by multiple Chinese APT groups. In particular, it is likely that an area of unique interest is cancer-related research, reflective of China’s growing concern over increasing cancer and mortality rates, and the accompanying national health care costs. Open source reports indicate that cancer mortality rates have increased dramatically in recent decades. The report says that motivation for APT activity is financial: the PRC has one of the world’s fastest growing pharmaceutical markets, creating lucrative opportunities for domestic firms, especially those that provide oncology treatments or services.

A biotech company undergoing acquisition was targeted by APT41 in May 2015. Highly sensitive information about corporate operations, including human resources data, tax information, and acquisition-related documents, were targeted. Notably, clinical trials data of developed drugs, academic data, and R&D funding-related documents were also exfiltrated. The time frame, use of the same GEARSHIFT sample, and a digital certificate from the aforementioned medical device company provide some indication that these two campaigns were conducted by the same operator concurrently.

Disruptive threats

Ransomware or extortion campaigns are likely perceived as especially useful against this sector, as they could limit access to patient or health information or disrupt critical care, potentially leading to an increased success rate and higher payouts for actors. Future activity could cause significant to catastrophic effects should actors undertake destructive or high-impact disruptive attacks, as evinced by the WannaCry and EternalPetya attacks.

Ransomware infections pose a more significant risk to healthcare organisations than entities in many other sectors due to the need for consistent, near real-time access to patient data and the potential for harm to patients should organisations lose access to important files, systems, and devices.

In September 2018, FireEye responded to a Samas ransomware incident at a US healthcare provider in which 93 work stations were impacted.

The report concludes that the healthcare organisations must contend with a range of cyber threat actor motivations and behaviour. Because of the wealth of data they hold, healthcare breaches and compromises can have far reaching consequences for consumers. The valuable research being conducted within some of these institutions continues to be an attractive target for nation states seeking to leapfrog their domestic industries. Looking forward, as biomedical devices increase in usage, the potential for them to become an attractive target for disruptive or destructive cyberattacks— especially by actors willing to assume greater risk—may present a more contested attack surface than today.


Please enter your comment!
Please enter your name here