The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has given an advisory to the U.S. health sector regarding probable cyber threats that can spillover from the conflict and affect U.S. healthcare providers.
HC3 mentioned the HHS is not aware of any particular threats to the Health and Public Health (HPH) Segment; nonetheless, it is obvious that allies on both sides of the clash have cyber capabilities and there are concerns that there may be cyberattacks on the HPH segment due to the conflict.
HC3 has warned that threats can originate from three sources: Threat actors connected with the Russian government, threat actors associated with the Belarussian government, and cybercriminal groups operating beyond Russia and its nearby states. There is also potential for other cybercriminal gangs to either become involved in the clash or take advantage of the conflict to carry out non-related cyberattacks.
Russia has for many decades been a cyber power on the planet. Going back to the Moonlight Maze attacks on the US Department of Defense in the 1990s, Russian state-sponsored actors were thought to be responsible for some of the most advanced cyberattacks publicly disclosed. Particularly, they are identified to strike adversarial critical infrastructure to further their geopolitical ambitions.
There are additionally very capable cybercriminal groups that operate outside of Russia or have expressed their support for Russia, which include the group behind the Conti Ransomware. The Conti ransomware gang, which is extensively considered to have likewise operated Ryuk ransomware, has extensively targeted the healthcare industry in the U.S. The Conti ransomware group is engaged in big game hunting, multi-stage attacks, and targets managed service providers (MSPs) and their downstream customers. The Conti ransomware gang engages in double and triple extortion, exfiltrating information prior to encryption and then threatens to post the data and alert partners and shareholders when no ransom payment is made.
HC3 thinks that the Conti ransomware group and/or other cybercriminal groups may either participate in the conflict or exploit the conflict for financial benefit. The threat group referred to as UNC1151 is thought to engage in the Belarussian military and has apparently been doing phishing campaigns focused on Ukrainian troops in January, and the Whispergate Wiper was utilized in cyberattacks in Ukraine, which were linked to Belarus.
Whispergate is one of three variants of wiper malware that were recently identified. These variants of wiper malware utilize ransomware as a lure and drop ransom notes that state files were encrypted; nevertheless, the master boot record is destroyed rather than encrypted and there is no way for recovery.
One more wiper called HermeticWiper was employed in attacks in Ukraine beginning February 24, 2022, of which a number of variants have to date been discovered. ESET has lately discovered another wiper which the company named IsaacWiper, is presently investigating.
Although attacks using these malware variants are now targeted in Ukraine, in 2017, NotPetya wiper malware was utilized in targeted attacks in Ukraine and was sent through compromised tax software, yet attacks involving the malware propagated worldwide and affected multiple healthcare companies in the United States.
All companies in the HPH segment are ardently cautioned to follow an increased state of vigilance, do something to boost their defenses, and evaluate CISA guidance on mitigations and enhancing resilience to cyberattacks.