As the outbreak of Covid-19 escalated earlier this month we observed that the global cybercrime community has capitalized on public fear. Initially targeting civilians through phishing campaigns in the guise of the World Health Organisation (WHO) and the US Centers for Disease Control and Prevention (CDC), as well as local surgeries, in recent weeks threat actors have escalated their attacks as they shift their focus to the healthcare industry.
This comes as little surprise; the healthcare industry accounts for almost a quarter (24%) of all cases investigated by Verizon, making it the most breached sector globally thanks to the high value of patient data and intellectual property on the dark web. Conversely, threat actors are known to increase their attack efforts when they know victims are most vulnerable, particularly to social engineering attacks. This is evidenced in past spikes in activity surrounding the Winter Olympics, the introduction of GDPR, and the UK’s exit of the European Union.
This blog will outline key campaigns currently targeting the healthcare sector through recent use cases, and shine a spotlight on the threat actors and tools behind them that have led to a 150% rise in cyber attacks against the healthcare sector throughout the Covid-19 pandemic.
World Health Organization (WHO)
In a recent blog post we drew attention to cybercriminals posing as the WHO to steal information from civilians, but it has been confirmed in the weeks since that the WHO itself has also become victim to cyber threats. Reuters reports that criminals attempted to breach the WHO on 13th March as threats against the organization and its partners have more than doubled in the wake of the current pandemic. This sophisticated phishing attack consisted of the activation of a malicious site that mimicked the WHO’s own email system, and was used as an attempt to coax passwords and other sensitive information from WHO staff. The identity of the attackers has not yet been confirmed, though it is believed to be known threat actor DarkHotel.
The WHO is pulling all its resources to aid in the global fight against the Coronavirus and any successful breach or loss of data could drastically slow down the management of infection or delay attempts at developing a vaccine, ultimately leading to a wider spread and more fatalities.
Brno University Hospital
Located in the Czech Republic, the Brno University Hospital has become one of the country’s leading Covid-19 testing labs. Earlier this month the hospital fell victim to a currently unknown infection which resulted in the shut down of its entire IT network, as well as it’s sister Maternity and Children’s Hospital branches. At the time of writing, security professionals in the region, including the Czech National Cyber Security Center (NCSC) and the Czech police force, are still working to determine those responsible and restore the IT network.
Beyond those directly affected at Brno University Hospital, this attack will have serious ramifications for the wider population of the Czech Republic. The country currently reports 1,047 cases of the novel Coronavirus and expects significantly more cases in the coming months. With a key testing facility now unavailable, that number is likely to rise as efforts to tackle the virus have been forced to slow down.
Champaign Urbana Public Health District (CHUPD)
The Illinois CHUPD’s website was attacked by a ransomware called NetWalker earlier this month, taking down its website and affecting the health district’s ability to share vital information around social restrictions, health warnings and other evolving information regarding Covid-19 to its 210,000 constituents.
A new form of ransomware, NetWalker is believed to be a variant of the Mailto ransomware. As well as pushing false Coronavirus emails to the public, NetWalker is actively targeting the healthcare sector at this time. The Netwalker phishing campaign has been observed to include an attachment named “CORONAVIRUS_COVID-19.vbs” which contains an embedded code that allows attackers to access and extract information from the infected system.
Advice and mitigation
It is evident that many threat actors are only increasing their attacks, despite some agreeing not to attack vital emergency services. In these high pressure situations it’s vital that organizations do not discard security protocols and remain vigilant towards perceived threats. As measures against the spread of Coronavirus evolve and employees become overwhelmed or distracted, they must maintain cyber-hygiene. This means remembering best practices – particularly in the face of phishing attacks, as the majority of the attacks outlined above are focused on social engineering. This, the human element, is always the weakest part of a defence perimeter, and criminals expect it to be even weaker as healthcare workers tackle the current climate.
The healthcare industry must now more than ever fall back on basic cyber-hygiene and employ hyper vigilance as it continues its role on the front line of the Covid-19 pandemic.
Blueliv latest whitepaper therefore sets out some elements in a diverse and heterogenous cyberthreat landscape for Healthcare institutions. As a threat intelligence provider, we seek to offer insight around trends and encourage the development and continuation of proactive steps that Healthcare instututions can take to help manage their cyber-risk.