Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
HHS HC3 Warns Healthcare Sector of Hive Threats
Experts Urge Sector to Step Up Cyber Defenses As Entities Get HitFederal authorities are warning the healthcare and public health sectors of aggressive, financially motivated attacks by the Hive ransomware group.
See Also: Live Webinar | Active Directory Under Attack: How to Build a Resilient Enterprise
The cybercrime operation, which was the subject of an earlier advisory by the FBI, has been linked to a number of attacks on healthcare sector entities, including - allegedly - a recent incident experienced by Partnership HealthPlan of California, a nonprofit managed care health plan.
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, or HC3, in an advisory Monday recommended that healthcare and public health entities raise their awareness and apply strong cybersecurity principles and practices in defending their infrastructure and data against compromises involving Hive.
"The Hive ransomware group has been known to be operational since June of 2021 but in that time has been very aggressive in targeting the US health sector," HC3 writes. The alert says that a December report by security firm Intel 471 covering the third quarter of 2021 ranked Hive as the fourth-most-active ransomware operators in the cybercriminal ecosystem, just a few months after Hive began its operations.
Hive Victims
Among healthcare sector entities allegedly recently hit by Hive is Fairfield, California-based Partnership HealthPlan of California, or PHC, which last month posted a notice on its website saying it "recently began experiencing technical difficulties, resulting in a disruption to certain computer systems."
On April 15, PHC updated its website notice, saying it had successfully restored its website functionality. "We apologize for the recent service disruption and appreciate the patience and understanding of our partners and providers as we worked to safely restore systems," the notice says.
"We have taken all recommended measures offered by our cybersecurity partners to ensure these systems are safe and available to resume normal business operations. The safe restoration of systems follows the detection of anomalous activity within areas of the organization’s network," it says, adding that the entity's investigation into the incident continues with the assistance of third-party forensics specialists.
A listing on the dark web data leak site of ransomware group Hive last week claimed that PHC's data had been encrypted on March 19 and that some of that information had been "disclosed" on April 12. The HiveLeaks site claims data stolen from PHC includes 400GB of files from a file server and 850,000 "unique records" of personally identifiable information, including names, addresses, dates of birth and Social Security numbers.
PHC did not immediately respond to Information Security Media Group's request for comment on the incident.
Other healthcare sector entities reportedly hit by Hive include Memorial Health System, a three-hospital system based in Marietta, Ohio, which experienced a disruptive ransomware attack last August.
Advisory Details
HHS HC3 in its advisory says that Hive attacks involve conducting double extortion - including data theft prior to encryption and posting details of the data stolen in the incident on a leak site that is accessible on the dark web.
Hive operates on a Ransomware-as-a-Service model and leverages Golang, a language used by many cybercriminals to design their malware, HC3 says. "They also ported their Linux VMware ESXi encryptor to Rust, making it more challenging for security researchers to analyze their operations," it says.
"They leverage common - but effective - infection vectors such as RDP and VPN compromise as well as phishing," according to the advisory.
Some victims have received phone calls from Hive to pressure them to pay and conduct negotiations.
"Like some other ransomware variants, Hive searches victim systems for applications and processes which backup data and terminates or disrupts them. This includes deleting shadow copies, backup files, and system snapshots."
Hive has replicated a number of features and practices of the Black Cat operators, such as removing Tor negotiation URLs from their encryptor to prevent security researchers from extracting the ransom note and listening in on negotiations, HC3 says. That is known to have happened to other ransomware operators in the past, it adds.
"Hive extended their possible targets to Linux and FreeBSD systems by further developing their encryption algorithms. They developed a new IPv4 obfuscation technique, called IPfuscation, which makes them more stealthy," HC3 writes.
Favorite Targets
Brett Callow, a threat analyst at security firm Emsisoft, says Hive and other cyberattackers seem to frequently target the healthcare sector because of ROI. "Like legitimate businesses, cybercrime operations stick with strategies that work. If they’ve found a sector to be especially profitable, they’ll attack it over and over," he says.
According to Callow, since Hive is a Ransomware-as-a-Service operation, it is possible that a single Hive affiliate is heavily targeting the healthcare sector, "and that affiliate may also target the sector using other types of ransomware, too."
The global healthcare and public health sector has been a frequent target of other ransomware gangs, including Conti.
Last year, Ireland's Health Services Executive, the country's health system, suffered an attack by the ransomware gang Conti that disrupted its IT systems and patient care for several months.
Meanwhile, back in the U.S., San Diego, California-based Scripps Health, which reported a breach affecting 147,000 individuals tied to a ransomware attack, has begun notifying another round of patients identified as being affected by the incident. Scripps Health reported to municipal regulators in California last August that the May incident - which disrupted IT systems and patient care delivery for about a month - had so far cost the organization $113 million, including $91.6 million in lost revenue.
In a statement provided to ISMG, Scripps Health says it has continued to conduct an extensive and time-intensive investigation of the cybersecurity incident that occurred in early May 2021. That includes a manual review of documents involved in the incident.
"The recently concluded review determined that additional patient information was contained in those documents, and we are mailing notification letters to those newly identified individuals so they can take steps to protect their information. At this point, we have no indication that any of this data has been used to commit fraud," the statement says.
Scripps Health has continued to implement enhancements to its information security, systems and monitoring capabilities and is continuing to actively work with federal law enforcement agencies to support their ongoing effort to investigate those responsible for the incident, the statement says.
Scripps Health did not immediately respond to ISMG's request for details regarding its latest figures pertaining to the total number of affected individuals and updated cost estimates associated with the incident.
Scripps Health has not disclosed the type of ransomware involved in its incident.
Taking Action
To help prevent falling victim to Hive and other ransomware attacks, HC3 advises that healthcare sector entities take critical steps including using multifactor authentication with strong passwords, especially for remote access services such as RDP and VPNs.
Entities should also effectively back up data - particularly critical, sensitive and operationally necessary data, HC3 says.
"We recommend the 3-2-1 Rule for the most important data: Back this data up in three different locations, on at least two different forms of media, with one of them stored offline."
Also critical is continuous monitoring, which should be supported by a constant input of threat data, including open-source data and possibly proprietary information, the advisory says.
"Everyone needs to be on guard, more so now than ever, due to the Russia-Ukraine conflict, because it provides a convenient smokescreen for cyberthreat actors to try and make their attack look like they are part of the political issues going on in that unfortunate set of events in Europe," says retired supervisory FBI agent Jason G. Weiss, an attorney at law firm Faegre Drinker Biddle & Reath LLP.
Weiss says that as long as groups such as Hive are making money and avoiding detection by law enforcement agencies, cyberattacks against the healthcare sector - and schools, universities and government entities - will continue to grow exponentially.
Healthcare entities in particular need to be on guard, proactive and forward-thinking when it comes to securing their IT and OT networks to deflect and prevent attacks from cyberthreat groups, he says.