Health care professionals battling the coronavirus now face a second front in the war — cyberattacks — that threaten to disrupt operations and broadcast disinformation.
Cyberattacks against health care agencies have skyrocketed in the past decade, with almost 70% of the population affected by a data breach through the theft of personal information and health data. The attacks occur, on average, at a rate of 1.4 a day, according to the HIPAA Journal.
But the arrival of the coronavirus in the US in January has brought its own epidemic of cyberattacks.
Cyberattacks and Data Breaches
The World Health Organization, which is on the frontlines of the global coronavirus pandemic, is a favorite target. Cybercriminals also have attacked a testing lab in the Czech Republic and an Illinois health department.
The COVID-19 Cyber Threat Intelligence League, an army of more than 400 cybersecurity experts, is taking on these cybercriminals. The league, being overseen by experts from Amazon, ClearSky Cyber Security, Okta and Microsoft, is focusing on identifying and stopping cyberattacks against the health care industry worldwide.
US health care providers were first warned on March 6 by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to be alert to coronavirus phishing campaigns.
Phishing emails contained malicious code or links to bogus websites that could give hackers access to websites and databases where they could scrape personal data, disrupt operations or lockdown computer systems in a ransomware attack.
The most prominent phishing campaign involved emails purportedly from the WHO containing an e-book about the “corona-virus.” The hyphen in “coronavirus” was one thing that alerted cyberexperts to the scam. Other errors soon emerged.
WHO issued a statement that their emails are addressed “.int.” Email from addresses ending in @who[.]com, @who[.]org or @who-safety[.]org are not from WHO.
Hackers also re-created the WHO portal to WHO’s internal file systems used by employees. Alexander Urbelis, a former hacker who became an information security lawyer, called the fake portal “very, very convincing.”
The hacker group, which has not been identified, is sophisticated and well-informed about its targets and could be a state-sponsored or state-affiliated group, Urbelis said. The group has used similar techniques on universities and the United Nations.
Meanwhile, the US Health and Human Services Department was targeted by millions of emails that cyberexperts said were designed to disrupt operations. A department spokesman said the agency was able to put extra protections in place to avert the attack.
The Effects of Ransomware
In Illinois, the Champaign-Urbana Public Health District was targeted in a ransomware attack in early March, hampering its effort to keep the public informed about the coronavirus. The district, which serves about 200,000 people, was offline for four days and was able to resume operations after paying the ransom of $350,000. Four days later, officials at the public health authority retrieved 99% of their files, according to Patricia Robinson, the health district’s director of human resources.
In Europe, hackers attacked a hospital in the Czech Republic. Brno University Hospital, which is one of the biggest COVID-19 testing laboratories in the country, was forced to postpone surgery, send acute patients to another hospital and shut down its IT network at three hospitals.
Those attacks occurred despite a pledge by some of the best-known ransomware hackers that they would not attack health care providers during the pandemic.
Ryuk, Maze, DoppelPaymer, PwndLocker, Sodinokibi/REvil and Ako Ransomware told BleepingComputer that they would avoid interfering with hospitals and other health care providers. They said if a health care agency was attacked by accident, they would provide the decryption key.
CLOP Ransomware said it never targets health care providers, but it would target pharmaceutical companies because they are profiting from the crisis.
But that hasn’t stopped other cybercriminals from trying to cash-in on the global pandemic. A website in Austin, Texas, advertising a phony WHO COVID-19 vaccine kit was shut down by the Department of Justice.
And Amazon said it removed over 1 million fake coronavirus remedies in February alone. But cyberexperts are stepping up to defend the health care industry.
The Front Lines
Emsisoft, which offers custom decryption services, and Coveware, which offers negotiation services, are making their services free to health care providers during the coronavirus pandemic.
“We have helped hospitals through ransomware attacks during normal times. It is a horrible situation with normal patient activity. It’s unfathomable to think about what it would be like during a pandemic. We want to ensure providers have fast access to help with as little friction as possible. It is the least we can do,” Coveware CEO Bill Siegel told BleepingComputer.
And then there’s the COVID-19 Cyber Threat Intelligence League. One of the founders, Marc Rogers, vice president of security at Okta and head of security operations at DEF CON, said the league is growing fast and has a global reach.
“Attackers are using a mixture of old, reskinned, and relatively new malware to attack users during the COVID-19 pandemic,” Rogers told Dark Reading. “Their diversity indicates a global reach and a wide variety of campaigns. In essence, we are looking at a cybercrime gold rush.”