COVID-19’s Healthcare Feeding Frenzy for Cybercriminals


The COVID-19 pandemic has enlarged the threat landscape for all industry sectors; but none more so than healthcare. The primary areas of concern include insecure working from home, and stress related lax behavior at the office.

The vast increase in staff from all industries working from home, outside of their corporate network defenses and often on poorly protected home computers, has been a treasure trove for hackers. Two common attack methodologies have been phishing (where the pandemic has provided the opportunity to add two of the most compelling social engineering triggers: fear and urgency), and home router compromise (where brute forcing passwords that have often not been changed from the default) is common.

Once a home computer is compromised, attackers are looking for any method to gain access to the user’s company network. Healthcare institutions, from hospitals and clinics to pharmaceutical companies and medical equipment manufacturers are especially valued for two primary reasons. Firstly, any stored PII that includes protected health information (PHI) is more valuable to the criminal than PII alone for identity theft and financial fraud purposes. Secondly, healthcare institutions are under enormous pandemic-related stress and pressure to work at full capacity with no downtime. The fine points of cybersecurity hygiene are often omitted in favor of continuity — and that same need for continuity makes criminals believe that healthcare institutions will be more open to pay ransom demands.

Threat intelligence firm IntSights notes in its 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report (PDF) that healthcare breach reports have been running at two per day between March and July 2021. Ransomware attacks against healthcare, particularly hospitals, have also continued to increase “due to their perceived and actual vulnerability to compromise and extortion”.

The sale of compromised network access is big business for the black market, and a recent IntSights analysis found that almost 20% of all observed victims were from the healthcare industry. Ransomware operators ‘are a critical segment of the customer base for sales of compromised networks’. A typical example was the sale of access to a U.S. regional hospital network in July 2020 by ‘TrueFighter’ for $3,000. The access included a combination of RDP access and domain administrator credentials.

The May 2021 Conti attack against Ireland’s Health Service Executive demonstrates the now common factor of ‘double extortion’ in ransomware attacks. If the victim refuses to pay the ransom, PHI stolen during the attack is publicly disclosed and/or sold on in the dark web – leaving the victim open to compliance fines, and the victim’s patients at danger of identity theft.

Conti has been a prolific ransomware used against healthcare. IntSights comments, “Identifiable healthcare victims of Conti ransomware data disclosures in the past year include: California-based Empire Physicians Medical Group in May 2021; Laura Daniela Emergency Integral Clinic in Valledupar, Colombia in March 2021; New Mexico-based Rehoboth McKinley Christian Health Care Services in February 2021; Virginia-based TaylorMade Diagnostics and Nevada-based Gastroenterology Consultants in January 2021; HT Medica, a Spanish network of diagnostic imaging centers, in December 2020; Miami-based Leon Medical Centers, also in December 2020; and Higginbotham Family Dental in Arkansas and Tennessee in September 2020.”

In fact, the Conti-specific threat has been so great that the FBI issued its own cybersecurity alert in May 2021.

But while criminal gangs have attacked the healthcare industry for monetary gain, nation-state actors have also been drawn into the COVID-19 feeding frenzy. As usual, nation-states are more attracted by intellectual property (IP) than by financial gain. For them, the primary target has been IP around COVID-19 research and vaccine formulas – with North Korea possibly the most prolific attacker.

State-sponsored attackers identified in the report include Lazarus, Kimsuky and Cerium (North Korea); Fancy Bear and Cozy Bear (Russia); unspecified Chinese attackers targeting Spanish research centers, and Li Xiaoyu and Dong Jiazho indicted for targeting COVID-19 research companies on behalf of the Chinese Ministry of State Security (MSS); and the Iranian Charming Kitten, which conducted a phishing attack against the US pharmaceutical company Gilead Sciences.

IntSights also points to a separate attraction of the healthcare industry for nation-states – the gathering of human intelligence (HUMINT). While there is no specific knowledge of current attacks for this purpose, it undoubtedly continues. The Chinese breaches of Anthem and OPM are cited as an example. Anthem provided information on U.S. citizens with significant health-related financial debts, while the OPM breach provided information on people with high security clearances.

“Security researchers,” says the IntSights report, “posited that Chinese intelligence consumers aimed to combine and cross-reference Anthem and OPM data in order to identify US security clearance holders with significant healthcare debts, whom they believed might be vulnerable to development and recruitment as financially motivated HUMINT sources for Chinese intelligence services.”

In January 2021, the U.S. government warned that Chinese offers to provide COVID-19 testing capabilities was really a pretext for collecting American DNA samples. “Possible applications,” says IntSights, “would include surveillance… manipulation, blackmail, or coercion of US citizens with health problems identifiable from DNA samples into serving as HUMINT sources for Chinese intelligence services.”

There is no doubt that the COVID-19 pandemic has created a huge opportunity for cybercriminals. At the same time, the advanced research capabilities of the affluent western nations offer a potential cheap source of valuable COVID IP that could be used by foreign states to further their own geopolitical aspirations. 

The world is approaching the second anniversary of this pandemic, and while much of the world believes it is coming under control, this is not the case in the United States. The Delta variant is rampant, hospitals are stretched to breaking point, and there remains a widespread reluctance to vaccinate.

The feeding frenzy created by the COVID-19 pandemic for both cybercriminals and nation-states is ongoing.

Israel-born cyber threat intelligence firm IntSights raised $30 million in a Series D funding round in November 2019. It was acquired for $335 million by Boston MA-based Rapid7 in July 2021.

Related: State-Backed Players Join Pandemic Cyber Crime Attacks

Related: Attack Surface Growing for Healthcare Industry

Related: Tausight Raises $20M to Protect Healthcare Data

Related: US and UK Warn of Adversaries Targeting COVID-19 Responders

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:
Tags:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *