HHS: Health Sector Should Prepare for Russia-Ukraine ThreatsAdvises Entities to Ready Weekslong Continuity, Resilience Plans
Federal authorities are advising healthcare sector entities to take precautions, including enhancing their cybersecurity posture and being prepared to implement four- to six-week business continuity plans, as they continue to face potential cyber incidents related to the Russia-Ukraine war.
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, or HC3, in an analysis report issued Thursday, provides an overview of the potential threats involving the conflict, as well as a history of earlier attacks involving Russian-backed actors (see: Russia-Ukraine War: Threats Facing Healthcare Sector).
That includes earlier Russian attacks affecting the healthcare sector, such as the 2017 NotPetya ransomware attack on Ukraine and more recent assaults by Russian ransomware cybercriminal groups, such as Conti, Ryuk and Fin12.
HermeticWiper is a new form of disk-wiping malware that was used to attack organizations in Ukraine shortly before the launch of the Russian invasion, the report says. It leverages a signed driver, which is used to deploy a wiper that targets Windows devices, manipulating the master boot record in such a way that causes boot failure, HC3 says.
The malware also uses a digital certificate issued under a Cyprus-based company called Hermetica Digital Ltd., which "likely does not exist or is not operational if it does," HC3 writes.
WhisperGate, also a new form of disk-wiping malware, is believed to operate in three parts: a bootloader that corrupts detected local disks, a Discord-based downloader and a file wiper, HC3 says.
WhisperGate was observed attacking organizations in Ukraine shortly before the launch of the Russian invasion on Feb 24, the report says. "The WhisperGate bootloader complements its file-wiper counterpart. Both irrevocably corrupt the victim’s data and attempt to disguise themselves as ransomware operations."
With a continuation of ransomware threats by groups such as Conti, as well as wiper malware and other emerging threats, healthcare sector entities must be vigilant, HC3 says.
The three main concerns include hospitals and healthcare systems being targeted directly by Russian-sponsored cyber actors; hospitals and healthcare systems becoming incidental victims of Russian-deployed malware or destructive ransomware, and a cyberattack disrupting hospitals' services, HC3 writes.
Healthcare sector entities should take critical steps to be better prepared for such threats, HC3 says.
They include creating, maintaining and exercising a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if IT systems are disrupted or need to be taken offline, HC3 says.
"Hospitals and health systems should implement four- to six-week business continuity plans and well-practiced downtime procedures."
Other critical steps are:
- Confirm reporting processes and minimize personnel gaps in IT and OT security coverage.
- Use best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
- Bolster staff awareness of phishing emails containing malware.
- Check network and data backups and ensure that multiple copies exist - including off-line, network-segmented, on-premises and in the cloud, with at least one immutable copy.
- Implement geofencing for all inbound and outbound traffic originating from, and related to, Ukraine and its surrounding region, and identify all internal and third-party mission-critical clinical and operational services and technology;
- Refer to CISA's "Shields Up" guidance for additional insights, mitigations and reporting on malicious activity that may be associated with the Russia-Ukraine conflict.
HC3 also reports that Russian state-sponsored advanced persistent threat actors have used "common but effective tactics," including spear-phishing, brute force and exploiting known vulnerabilities against accounts and networks with weak security, to gain initial access to target networks.
Denise Anderson, president of the Health Information Sharing and Analysis Center, tells Information Security Media Group that H-ISAC has been monitoring the Russia-Ukraine conflict closely.
Thankfully, so far, it has not seen any targeted attacks directed at U.S. healthcare sector entities, she says.
"Obviously, there's concern around spillovers, like a NotPetya situation," she says, "so we are encouraging our members to be vigilant." That includes ensuring that software is patched to the latest version available.
While U.S. critical infrastructure entities face the risk of state-sponsored Russian cyberattacks related to the war in Ukraine, the healthcare sector is a less likely target of such government-sponsored attacks, says Paul Prudhomme, a former U.S. Department of Defense threat analyst who is head of threat intelligence advisory at security firm Rapid7.
"U.S. industries that would be more likely to become targets include government, financial services, and energy and utilities, all of which are more directly relevant to the issues at stake," he says.
But, he says, the U.S. healthcare industry is more of a target for Russian criminals, particularly ransomware groups. "A scenario more likely to affect U.S. healthcare is a ransomware attack by 'patriotic' Russian criminals seeking to support their country without actual state sponsorship.
"For example, the Conti ransomware group threatened to retaliate against the critical infrastructure of foreign countries conducting any such attacks on that of Russia. Healthcare has historically been a top target for Conti and other ransomware groups."
Brett Callow, a threat analyst at security firm Emsisoft, says that the Russia-Ukraine conflict has also affected the cybercrime gangs themselves - which could be a positive development for the healthcare and other sectors for now.
"The war seems to have negatively impacted a number of ransomware gangs, including Russia-based operations, due to them either having personnel based in Ukraine or using money-moving or other services based in Ukraine," he says.
"Those Ukrainian resources may no longer be available to them and, even if they are, there are likely now trust problems."
These factors make it harder for the gangs to operate and may limit their ability to carry out attacks, meaning fewer ransomware attacks, and not more, according to Callow.
"That's not to say that organizations should let their guard down. Attacks on healthcare and other critical infrastructure organizations continue to happen, and escalation remains a real possibility."