North Korea-sponsored hackers have been targeting the healthcare and public health sector in the U.S. for more than a year, according to a July 6 alert from the Cybersecurity and Infrastructure Security Agency, along with the FBI and the Department of the Treasury.
WHY IT MATTERS
In the advisory, North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector, CISA, FBI and Treasury allege that cyber actors have been using that novel strain of malware to target U.S. health systems since at least May 2021.
The report outlines the tactics, techniques and procedures, indicators of compromise, and recommended mitigations specific to use of the Maui ransomware.
“Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HPH Sector organizations,” officials said. “North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services – including electronic health records services, diagnostics services, imaging services, and intranet services.
“In some cases, these incidents disrupted the services provided by the targeted HPH Sector organizations for prolonged periods,” they added. “The initial access vector(s) for these incidents is unknown.”
The agencies urge healthcare organizations to “examine their current cybersecurity posture and apply the recommended mitigations,” including training employees to recognize and report phishing attempts; enabling and enforcing multifactor authentication and installing and updating antivirus/antimalware software on all hosts.
Beyond those basic cyber hygiene steps, the alert suggests a long list of more specific steps to take, including:
Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks.
Use standard user accounts on internal systems instead of administrative accounts, which allow for overarching administrative system privileges and do not ensure least privilege.
Turn off network device management interfaces such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
Secure personal identifiable information (PII)/patient health information (PHI) at collection points and encrypt the data at rest and in transit by using technologies such as Transport Layer Security (TPS). Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised.
Protect stored data by masking the permanent account number (PAN) when it is displayed and rendering it unreadable when it is stored—through cryptography, for example.
Secure the collection, storage, and processing practices for PII and PHI, per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures can prevent the introduction of malware on the system.
Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.
Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.
Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
They also say healthcare organizations should visit StopRansomware.gov for more guidance on ransomware detection and response
THE LARGER TREND
The new CISA alert cites a threat report on the Maui ransomware from cybersecurity researchers Stairwell, noting that the engineers there have determined that the malware “appears to be designed for manual execution by a remote actor” who “uses command-line interface to interact with the malware and to identify files to encrypt.”
The feds say they suspect North Korea and its state-sponsored hackers “likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations.”
They caution, however, that they “strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.”
U.S. federal agencies say healthcare organizations be be “shields up” to mitigate against potential threats from hostile foreign governments and their state-sponsored cyber actors.
Nation states have long been probing U.S. healthcare organizations and seeking areas to exploit. This past November, CISA issued an alert for an Iran-sponsored hacker group targeting healthcare. In early 2021, there were reports that North Korea had tried to hack Pfizer COVID-19 vaccine data.
Just this past month, FBI Director Christopher Wray said the bureau’s cyber squad was able to thwart an Iran-sponsored attempt to attack the IT network of Boston Children’s Hospital.
Meanwhile, attempted ransomware exploits and data breaches have become commonplace at hospitals and healthcare organizations nationwide.
ON THE RECORD
“As ransomware has grown to epidemic proportions, the ecosystems of ransomware-as-a-service gangs such as Conti, LockBit, and BlackCat have become broadly recognizable,” said Silas Cutler, Stairwell’s principal reverse engineer, in the company’s research report. “Outside of that ecosystem, there are other ransomware families that often receive less attention, yet are important to study because they can help broaden our understanding of the ways threat actors may conduct extortion operations.
“In June 2022, the Stairwell research team investigated one of these lesser-known families, the Maui ransomware,” Cutler added. “Maui stood out to us because of a lack of several key features we commonly see with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers. Instead, we believe that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts.”