HHS Alerts of Possible Threats to the Healthcare Industry

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has published an alert to the U.S. health industry concerning possible cyber threats that can spillover from the conflict and impact U.S. healthcare providers.

HC3 stated the HHS is uninformed of any specified threats to the Health and Public Health (HPH) Segment; nevertheless, it is apparent that allies on the two sides of the clash have cyber capabilities and there are worries that there can be cyberattacks on the HPH industry as a result of the conflict.

HC3 has cautioned that threats might be from three places: Threat actors connected with the Russian government, threat actors associated with the Belarussian government, and cybercriminal gangs working beyond Russia and its bordering states. There’s likewise a possibility for other cybercriminal groups to either take part in the struggle or take advantage of the conflict to perform unrelated cyberattacks.

Russia has for a number of years been a most competent cyber power on earth. Looking back to the Moonlight Maze attacks towards the US Department of Defense in the 90s, Russian state-sponsored actors were considered to be accountable for some of the most complex cyber attacks disclosed to the public. In particular, they are regarded to attack adversarial critical infrastructure to move forward with their geopolitical pursuits.

There are furthermore extremely competent cyber-criminal agencies that work outside of Russia or have been vocal about their support for Russia, such as the group responsible for the Conti Ransomware. The Conti ransomware gang, which is generally thought to have at the same time used Ryuk ransomware, has widely targeted the healthcare segment in America. The Conti ransomware group participates in multi-stage attacks, big game hunting, and attacks managed service providers (MSPs) and their downstream clientele. The Conti ransomware gang participates in double and triple extortion, exfiltrating data files before encryption and then threatens to release the information and inform partners and shareholders in case no payment is made.

HC3 is convinced that the Conti ransomware group and/or other cybercriminal gangs may either be a part of the conflict or exploit the conflict for financial profit. The threat group called UNC1151 is considered to join the Belarussian military and has supposedly been executing phishing campaigns on the Ukrainian military in January, and the Whispergate Wiper was employed in cyberattacks in Ukraine, which were connected with Belarus.

Whispergate is one of 3 variants of wiper malware that were recently identified. These wiper malware variants employ ransomware as a snare and leave ransom notes that assert files were encrypted; nonetheless, the master boot record is damaged instead of encrypted and there’s no means for retrieval.

Yet another wiper known as HermeticWiper was utilized in attacks in Ukraine as of February 24, 2022, of which a few variants have until now been discovered. ESET has lately found one more wiper which the organization called IsaacWiper, that it is presently looking at.

Even though attacks employing these malware variants are now centered in Ukraine, in 2017, NotPetya wiper malware was employed in focused attacks in Ukraine and was brought through breached tax software programs, nevertheless attacks using the malware pass on around the world and impacted several healthcare companies in America.

All organizations in the HPH industry are firmly instructed to undertake an elevated state of vigilance, make a plan to strengthen their defenses, and examine CISA guidance https://www.cisa.gov/uscert/ncas/alerts/aa22-057a on mitigations and bettering toughness to cyberattacks.