Anatomy of a health care cyberattack
Thank you for subscribing to the free edition of the twice-weekly Parallax View newsletter. All issues are free through March 22. After that, you’ll receive one issue per week. If you’d like to support our independent journalism on the intersection of health care and cybersecurity with a paid subscription, you can do so here. If you'd like a subscription option not available, please email firstname.lastname@example.org.
Last year, as French pharmaceutical giant Sanofi was scrambling to get its first Covid-19 vaccine ready alongside similar mRNA-based vaccines from Moderna and Pfizer, it suffered a cyberattack.
The cyberattack does not appear in any way to have affected the production or trials of Sanofi’s vaccine efforts. It announced on March 11 that it has begun human trials of its second jab. But the attack is a case study in how easy it can be for cybercriminals to infiltrate a network that, like Sanofi’s, has strong defenses.
Early last fall, an advanced cybercriminal adversary—probably the Lazarus Group out of North Korea, according to Richard Webster, the head of Sanofi’s Security Operations Center—began targeting pharmaceutical-industry employees through a spoofed LinkedIn account for a job recruiter.
Private messages from the account suggested to Sanofi employees that there was a job opening at Pfizer. By the end of the day on Friday, September 25, the attackers had built enough trust with at least one Sanofi employee that they were able to advance the attack to its next stage: They moved the conversation to WhatsApp.
They were able to bypass a whole section of our security controls... WhatsApp allowed them to get around that. —Richard Webster, director of incident response, Security Operations Center, Sanofi
WhatsApp’s end-to-end encryption allowed the phisher to keep the mobile conversations more private. Its interoperability across Web and desktop apps also provided an opportunity the cyberattackers could exploit. They coerced the targeted employee to download a “weaponized Word document” that contained details on the alleged employment opportunity, Webster said during a webinar about the attack.
The attackers’ first attempt to get the employee to download the malicious Word doc failed, but their second attempt, the following Monday, succeeded.
“They were able to bypass a whole section of our security controls. We do TLS intercept for Web browsing. We look at the files you download, we apply content filtering, and antivirus, and sandboxing. In a normal download, we would’ve taken that Word document, put it in a sandbox, and seen what it does,” he said. “But WhatsApp allowed them to get around that.”
The Word document asked the user for permission to run a macro, Webster said, which then downloaded administrative software tools that were not intrinsically malicious, including the multipurpose OpenSSL software library and the Microsoft Active Directory search tool ADFind. (Active Directory is an easy target for ransomware and other cyberattacks because it is used to manage so many different aspects of an organization’s network.)
Just because the tools are not designed to be malicious doesn’t mean that they can’t be used for malicious hacking. The attackers turned their sights to digging deeper into Sanofi’s network.
By September 29, they had struck gold. “They actually were able to find a password on a network share in that local area where they were, and they were able to get access to two servers on that system,” Webster said. They leaped from an end-point computer on the Sanofi network to an internal server and then hacked a local administrator password in a matter of days.
Sanofi’s next-generation security software had been tracking the attackers’ unusual behavior, and at this point, it determined that it had enough data to warn Webster's team. On September 30, Webster and his colleagues began the process of shutting down the attack, blocking the digital paths that the attackers had used, and fixing hacked machines.
“Stealthy” attackers are “smart, well-educated people. They know everything we have in our toolbox,” Webster said.
Few health care organizations are as well-resourced as Sanofi to deploy cutting-edge cybersecurity defenses. And even companies with world-class financial and workforce resources dedicated to cybersecurity fall victim to phishing attacks like this one.
Locking up corporate systems with ransomware is one of the most common cyberattack goals of the kind of attack that Sanofi faced. Recovery from successful ransomware attacks is cumulatively costing health care organizations hundreds of millions of dollars.
“In a hospital, the worst-case [scenario] is a hot zone with secondary infections like staph... That’s what a Trojan followed by ransomware is like, and it needs to be prevented in cybersecurity." Tom Kellermann, head of cybersecurity strategy, VMware
More than 1,500 U.S. health care organizations together spent more than $160 million in recovery costs between 2016 and 2019, according to a Comparitech report from February 2020. Check Point Research found increasing efforts by hackers in 2020 to target health care: Four percent of health care organizations worldwide were infected with ransomware in the third quarter of 2020, up from 2.3 percent in the second quarter; health care organizations were the No. 1 target for ransomware in the United States; and November and December saw a 45 percent spike in ransomware attacks against health care organizations globally, compared with an average 22 percent increase in ransomware attacks against other sectors. And a Coveware report found that ransomware causes on average 15 days of downtime in electronic health record systems.
Why haven’t health care organizations been able to stop these attacks?
Among the cybersecurity tips that HHS suggests health care organizations implement to strengthen their cybersecurity defenses is making sure that computers and networks have installed the latest software patches. Ensuring that all software is up-to-date is not always possible, however. Another tip, changing passwords frequently, contradicts 2016 guidance from the chief technologist of the FTC and 2018 guidance from US-CERT.
A third set of tips—disabling unused remote-access ports, implementing “allow lists” so only approved software can run, auditing user accounts, and monitoring logs to verify that systems have not been improperly accessed—are challenging to implement amid security staffing shortages, especially when many employees in health care organizations need to be able to broadly access patient records and hospital systems.
It’s hard not to conclude that the security strategies that have been used thus far to protect health care organizations have been insufficient, says Tom Kellermann, head of cybersecurity strategy for VMware.
“In a hospital, the worst-case [scenario] is a hot zone with secondary infections like staph,” he says. “That’s what a Trojan followed by ransomware is like, and it needs to be prevented in cybersecurity.”
During the Ryuk ransomware attack in October 2020, “the coordinated response of CISA, FBI, HHS, and the Health-ISAC was unprecedented,” Kellermann says. “[Organizations] need to expand upon that, they really need to invest in security more heavily, and they need to elevate CISOs.”
The Health Information Sharing and Analysis Center, a global nonprofit organization, has about 500 members across private and public health organizations (including approximately half of U.S. hospitals) that share information and best practices on how to deal with the cybersecurity threats they face. Errol Weiss, H-ISAC’s chief security officer, notes that health care organizations are lagging far behind the cybersecurity investments of other industries, with even medical-device manufacturers surpassing them.
“Health care providers have not made the same level of investment in cybersecurity as other sectors. From dollars spent on infrastructure, to people and hires, I think it’s been lagging,” Weiss says.
Although the H-ISACs members collectively did not report a big spike in ransomware attacks against health care organizations until the Ryuk attacks were apparent later in the year, he believes that investing in cybersecurity will help mitigate third-party vulnerabilities such as those from business-to-business service providers. One of the hallmarks of Ryuk is that, like many of its ransomware cousins, it hunts down security flaws in Active Directory installations.
“Given how prevalent Active Directory is, [as well as] how many institutions rely on services that use Active Directory’s infrastructure, it’s a major problem that isn’t going to go away,” he says.
A lack of basic insight plagues health care
Kellerman believes that many health care organizations already have the security software tools they need but haven’t yet properly configured them. Chris Morales, head of security analytics at cybersecurity data science company Vectra AI, meanwhile, says challenges in securing health care organizations run much deeper than staffing and software patches.
Figuring out which computers and devices are connecting to their networks is a vital (and ever-changing) step in identifying vulnerabilities to address, he says. But because of the way hospital networks are structured, it’s not insurmountable.
“Health care organizations lack visibility into what’s happening on their network, [and] they also don’t know what’s on it, or what’s supposed to be on it,” says Morales, whose company provided the behavior-based machine-learning system that Sanofi used to detect and stop the September 2020 cyberattack from causing more damage than it did.
The challenge in identifying those things makes it easy for attackers to move quickly and laterally across health care networks, installing backdoors, dropping ransomware, and stealing data, he says. But because hospitals have so many different employees with different responsibilities who all need to access the same data, their networks are relatively “flat,” or not as segmented, compared with those in the financial industry, and thus relatively easy to monitor.
“Flat networks are highly conducive to network-based monitoring of behaviors. You can plug in to the network and watch the whole thing very quickly,” Morales says. “At every one of our customers, we’ve seen live breaches and live ransomware attacks. Being able to take a machine offline, lock an account, and isolate it is critical. It’s not an insurmountable problem to me. It’s about funding and making it a priority.”
A Tweet to live by:
What do you know that we don't?
Got a tip? Know somebody who does? You can reach us by email, Twitter DM, or Signal secure text: 415-730-3194.
Thank you for subscribing to the free edition of The Parallax View! Learn more about our paid subscription options here.