North Korean ransomware attacks target US healthcare companies


Since May 2021, state-sponsored attackers have been deploying Maui ransomware in an effort to encrypt sensitive records and disrupt services at vulnerable healthcare organizations.

Image: sezerozger/Adobe Stock

The US government is warning healthcare companies to monitor and protect against ongoing ransomware attacks from North Korean-sponsored cybercriminals. In a joint advisory released Wednesday, the FBI, the Cybersecurity and Infrastructure Security Agency, and the Treasury Department warned that these state-sponsored attackers were using Maui ransomware to target hospitals, labs, and medical facilities. other public and private health organizations.

North Korean state-sponsored cybercriminals are deploying Maui to encrypt servers and data for critical health services, such as electronic health records, diagnostics, imaging and intranet. Because hospitals and healthcare providers sometimes lack adequate security protection, these attacks can disrupt important medical services for long periods of time.

Why North Korea is targeting health care

Cyberattacks by hostile nation states are usually carried out for political or military reasons, as they are designed to impact critical infrastructure and defenses. Ransomware attacks, however, are profit-driven. Why would state-sponsored attackers turn to ransomware as a tactic?

“Ransomware attacks sponsored by nation states have become typical international acts of aggression, especially among North Korean, Chinese and Russian hacking groups,” said Peter Martini, co-founder of security provider iboss. . “Unfortunately, North Korea has specifically shown that it is very willing to indiscriminately target various industries, including healthcare, to secure the untraceable cryptocurrency that funds its nuclear weapons program.”

The healthcare sector is particularly vulnerable to ransomware. These organizations do not always devote sufficient time or resources to cybersecurity. Hospitals and similar companies also hold sensitive medical and healthcare data ready for exploitation. And these facilities cannot afford to be out of service for too long, which increases the likelihood that they will pay the ransom just to get their operations back up and running.

“They’re hitting these organizations because they’re juicy victims and they won’t show the healthcare industry any mercy,” said Adam Flatley, director of threat intelligence for security firm Redacted. “Ransomware actors don’t care who they hurt by extorting money from healthcare organizations. They destroy lives, businesses and, in the case of hospitals, put human lives at risk without any remorse. These groups deliberately target health care organizations because they know the emotional impact of such action will help them force extortion payments.

Although these incidents of North Korean-sponsored ransomware against health organizations have been going on for a year, they have increased significantly and become more sophisticated since then, according to Martini. Countries like North Korea and Russia also have a lot to gain from disrupting the United States’ ability to deliver health care, especially during a pandemic.

How to defend against these attacks

To help healthcare organizations that need to defend against these types of ransomware attacks, the advisory offers several recommendations.

Limit access to sensitive data

Control access to critical data using public key infrastructure and digital certificates. These tools can authenticate connections to the network, Internet of Things medical devices, and electronic health record system. They also prevent man-in-the-middle attacks from compromising data while in transit.

Reduce your use of administrator accounts

To access your internal systems, use standard user accounts rather than administrative accounts. Administrator accounts can be used to compromise an entire network or domain, making them tempting targets for attackers.

Disable vulnerable network protocols

Disable network device management interfaces such as Telnet, SSH, Winbox, and HTTP for WANs. Make sure network access is secure with strong passwords and encryption.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Protect patient information

Secure all personally identifiable information and protected health information at all collection points. Be sure to encrypt data at rest and in transit using protocols such as Transport Layer Security. Store personal patient data only on internal systems protected by firewalls and ensure that full backups are available if the information is compromised.

Secure stored data

Protect stored data by hiding the permanent account number when displayed. This ensures that the information is unreadable when stored.

Follow HIPAA regulations

Make sure to properly secure, store, and process PII and PHI in accordance with HIPAA regulations. Following these regulations can help protect your systems from malware.

Segment and monitor your network

Apply multi-layer network segmentation and ensure that the most critical data is stored on the most secure and reliable layer. Use monitoring tools to determine if your IoT devices are malfunctioning, possibly due to a compromise.

Review your security policies

Regularly review your internal policies that regulate storage of and access to PII and PHI.

Organizations should also transition to the Zero Trust cybersecurity model adopted by the United States and other countries, advises Martini. Specifically, focus on the Zero Trust Architecture defined by NIST in its publication 800-207.

“The Zero Trust model ensures that all critical applications and data are completely inaccessible to attackers and only accessible by employees, essentially making resources completely private,” Martini said. “The goal of Zero Trust, according to NIST 800-207, is to solve the crux of the problem, which is to prevent unauthorized access to data and services. These types of attacks fail if North Korea cannot access resources to begin with.


Comments are closed.