Organizations within the US healthcare and public well being sector are among the many high targets for state-sponsored North Korean cyber-threat actors searching for to fund espionage actions by way of ransomware and different assaults.
That is the evaluation of the US Cybersecurity and Infrastructure Safety Company (CISA), the FBI, the US Division of Well being and Human Providers, and South Korean intelligence companies. In a joint advisory Feb. 9, the group described the North Korean authorities as utilizing revenues — within the type of cryptocurrency — from these ransomware assaults to fund different cyber operations that embody spying on US and South Korean protection sector and protection industrial base organizations.
State-Sponsored Ransomware Assaults With a Mission
“The authoring companies assess that an unspecified quantity of income from these cryptocurrency operations helps DPRK national-level priorities and aims,” the advisory stated.
The alert additionally cautioned ransomware victims in healthcare and demanding infrastructure sectors in opposition to paying ransoms. “Doing so doesn’t assure information and information can be recovered and should pose sanctions dangers,” it stated.
There’s little within the advisory to point whether or not it was prompted by new menace intelligence or phrase about imminent assaults. Nevertheless it comes amid a seamless improve in ransomware assaults in opposition to healthcare entities total. A report by the Journal of the American Medical Affiliation (JAMA) earlier this 12 months recognized a doubling within the variety of ransomware assaults in opposition to healthcare entities between 2016 and 2021. Of the whole 374 ransomware assaults on US healthcare organizations throughout that interval, some 44% disrupted heathcare supply.
The commonest disruptions included techniques downtime, cancellations of scheduled care, and ambulance diversions. JAMA’s examine discovered a rise particularly in ransomware assaults in opposition to massive healthcare organizations with a number of services between 2016 and 2021.
A June 2022 report from Sophos confirmed 66% of healthcare organizations skilled at the least one ransomware assault in 2021. Sixty-one p.c of these assaults ended with the attackers’ encrypting information and demanding a ransom for the decryption key.
“Healthcare noticed the very best improve in quantity of cyberattacks (69%) in addition to the complexity of cyberattacks (67%) in comparison with the cross-sector common of 57% and 59% respectively,” Sophos stated.
New Intel, New Techniques
CISA’s newest cybersecurity advisory this week updates its earlier steerage on state-sponsored ransomware assaults from North Korea directed in opposition to the US healthcare and public well being sector. It highlighted a number of techniques, methods, and procedures (TTPs) that North Korean cyber actors are at present using when executing ransomware assaults in opposition to healthcare targets. A lot of the TTPs are typical of these noticed with ransomware assaults and embody techniques like lateral motion and asset discovery.
The advisory additionally highlighted a number of ransomware instruments — and related indicators of compromise (IoCs) — that North Korean actors have been utilizing in assaults on healthcare organizations. Amongst them have been privately developed variants reminiscent of Maui and H0lyGh0st and publicly accessible encryption instruments reminiscent of BitLocker, Deadbolt, Jogsaw, and Hidden Tear.
“In some instances, DPRK actors have portrayed themselves as different ransomware teams, such because the REvil ransomware group,” in an try to evade attribution, the advisory stated.
Along with obfuscating their involvement by working with different associates and overseas third events, North Korean actors regularly use pretend domains, personas, and accounts to execute their campaigns, CISA and the others stated. “DPRK cyber actors may also use digital non-public networks (VPNs) and digital non-public servers (VPSs) or third-country IP addresses to look like from innocuous places as an alternative of from DPRK.”
The advisory highlighted a few of newer software program vulnerabilities that state-backed teams in North Korea have been exploiting of their ransomware assaults. Amongst them have been the Log4Shell vulnerability within the Apache Log4j framework (CVE-2021-44228) and a number of vulnerabilities in SonicWall home equipment.
CISA’s beneficial mitigations in opposition to the North Korean menace included stronger authentication and entry management, implementing the precept of least privilege, using encryption and information masking to guard information at relaxation, and securing protected well being info throughout assortment, storage, and processing.
The advisory additionally urged healthcare entities to keep up remoted backups, develop an incident response plan, replace working techniques and functions, and monitor distant desktop protocol (RDP) and different distant entry mechanisms.
