FBI, DHS Warn Hospitals of Credible Threat from Hackers
(Bloomberg) -- Several U.S. federal agencies on Wednesday warned hospitals and cyber-researchers about a “credible threat” to the security of medical facilities, according to two people familiar with the advisory. The FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security and known as CISA, said they’d received intelligence asserting that hackers were preparing to use Ryuk ransomware to attack medical facilities, using the Trickbot to distribute it, said the people, who weren’t authorized to speak to the media.The federal agencies didn’t return requests for comment.The warning comes as Covid-19 cases and hospitalizations surge across the country. The cybersecurity company FireEye Inc. said multiple U.S hospitals have been hit by a “coordinated” ransomware attack, with at least three publicly confirming being struck this week.Ransomware is a type of computer virus that locks up computers until a ransom is paid for a decryption key.The attack was carried out by a financially motivated cybercrime group dubbed UNC1878 by computer security researchers, according to Charles Carmakal, FireEye’s strategic services chief technology officer. At least three hospitals were severely affected by ransomware on Tuesday, he said, and multiple hospitals have been impacted over the past several weeks. UNC1878 intends to target and deploy ransomware to hundreds of other hospitals, Carmakal said.“We are experiencing the most significant cybersecurity threat we’ve ever seen in the United States,” he said. “UNC1878, an Eastern European financially motivated threat actor, is deliberately targeting and disrupting U.S. hospitals, forcing them to divert patients to other health-care providers.”Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline, Carmakal added. “UNC1878 is one of most brazen, heartless, and disruptive threat actors I’ve observed over my career.”Trickbot claimed Monday in private communications channel to have attacked more than 400 hospitals in the U.S., said Alex Holden, the founder of the cyber investigations firm Hold Security. By Tuesday, the Trickbot attack group -- which frequently works with ransomware operators Ryuk -- claimed to have ransomed about 30 medical facilities around the country, Holden said.Noncriminals running these malware and ransomware operations are known to embellish their achievements, he said.St Lawrence Health System in New York, Sonoma Valley Hospital in California, and Sky Lakes Medical Center in Oregon on Tuesday all publicly stated they were affected by ransomware attacks, according to local news reports.The ransomware that has targeted hospitals, retirement communities and medical centers this year has typically started with emails that purport to be corporate communications and sometimes contain the name of the victim or their company in the text or its subject line, according to a FireEye report released Wednesday. However, the emails can contain malicious Google Docs, typically in the form of a PDF file, that contains a link to malware. The use of multiple links, as well as PDF files, can help trick email filters designed to spot simpler phishing tactics.(Updates with more details from FireEye and names of hospitals in last paragraph.)For more articles like this, please visit us at bloomberg.comSubscribe now to stay ahead with the most trusted business news source.©2020 Bloomberg L.P.
Bloomberg · 5h ago