Russian APTs: Why Stakes Are So High for Healthcare SectorExperts Urge Healthcare, Public Health Entities to Heed US Agency Warnings
Healthcare and public health sector entities must heed the warnings this week by federal authorities of Russian state-sponsored cyberthreats to critical infrastructure organizations, some experts say, pointing out the high stakes of attacks, especially during the pandemic.
On Tuesday, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the FBI released a joint advisory warning that Russian-backed advanced persistent threat actors are leveraging certain tactics, techniques and procedures to infiltrate critical infrastructure (see: US Warns of Russia-Backed Threat to Critical Infrastructure).
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center on Tuesday also issued its own advisory, alerting the healthcare and public health sector to the joint warning from CISA, the NSA and the FBI.
"As Russia continues to act as a major cyber threat against the U.S. healthcare and public health sector, it is extremely important to both know AND apply the information included in this alert," HC3 warns.
"Reducing your organization’s attack surface to the greatest extent possible is the primary goal, and this alert provides many ways to do that. Notably: Ensure the listed vulnerabilities are patched; use multifactor authentication; establish a robust data backup program; and consider signing up for CISA’ cyber hygiene services."
"Every concern about a possible legitimate cyberattack must raise an alarm, especially as it relates to the healthcare industry," says retired supervisory FBI agent Jason G. Weiss, an attorney at law firm Faegre Drinker Biddle & Reath LLP.
"There have been a rash of cyberattacks recently from Russian ransomware gangs that have caused real distress and concern. It looks like SolarWinds, a devastating cyberattack, was launched by a Russian criminal gang," he says.
Weiss also says federal law enforcement authorities are correct in their desire to warn the public of these threats so businesses in all industries can see the depth and scope of the problem and hopefully start taking proactive measure to protect themselves from many of the different cyberattacks being used worldwide.
The healthcare and public health care sectors are "soft targets" Weiss says, "and when successful attacks are launched, these industries deal with life and death, and as such are less able to deal with the dangers of cyberattacks, so the perception is they are more apt to pay ransom quickly."
"Russian-based APTs are definitely a concern to the healthcare sector. There is no other sector that is more responsible for the welfare and well-being of people," says Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information Management and Systems Society. "The capabilities are there, and our sector needs to be prepared. We are no longer in the era of 'no one is going to attack healthcare.'"
It is difficult to predict what the effects of rising political tensions with Russia - such as in its conflict with Ukraine - may be, but Russia "is known to have sophisticated cyber capabilities," says Denise Anderson, president of the Health Information Sharing and Analysis Center.
"Organizations should always be mindful of geopolitical events - especially if they have operations in the region but even if they don't," she says.
The Petya/NotPetya attacks in 2017, for example, were not targeted at healthcare, but had huge global financial and operational impacts, she says. "Healthcare organizations should be monitoring the situation and looking at their business continuity plans to ensure their operations are resilient in case there is fallout."
In the joint advisory, the U.S. agencies say Russian state-sponsored APT actors have demonstrated "sophisticated tradecraft and cyber capabilities" by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. "The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments - including cloud environments - by using legitimate credentials," it says.
"State-sponsored cyberespionage groups in Russia and other countries have sought access to COVID-19 intellectual property, such as vaccines, drug treatments and testing capabilities, as well as the clinical research that supports them."
—Paul Prudhomme, IntSights
Russian cyberthreat actors have also been known to target critical infrastructure, and the alert provides a list of "high-profile cyber activity" between 2011 and 2020, including attacks on Ukraine's energy distribution companies that led to a massive power outage.
The joint warning about Russian APTs follows similar earlier government alerts about other nation-state threats targeting critical infrastructure, including the healthcare and public health sector.
In November, a joint advisory from U.S. U.K. and Australian government agencies warned about Iranian government-sponsored APT actors actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the transportation sector and the healthcare and public health sector, as well as Australian organizations.
That warning from the FBI, CISA, the Australian Cyber Security Center and the United Kingdom's National Cyber Security Center said Iranian actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. "These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware and extortion," the warning said.
State-sponsored Russian cyberespionage groups have historically focused on the targeting of industries with the most direct relevance to Russian geopolitical and economic interests, such as government and defense, and energy and utilities, says Paul Prudhomme, a former U.S. Department of Defense threat analyst who is now a researcher with cybersecurity threat intelligence firm IntSights.
The healthcare and pharmaceuticals industry has nonetheless assumed greater significance in that regard for state-sponsored cyberespionage groups around the world - including Russia - as a result of the COVID-19 pandemic, he says.
"Specifically, state-sponsored cyberespionage groups in Russia and other countries have sought access to COVID-19 intellectual property, such as vaccines, drug treatments and testing capabilities, as well as the clinical research that supports them," he says.
"They seek to acquire this intellectual property both for the benefit of their own populations and for use as bargaining chips with developing countries."
In the case of Russia, both APT28 and APT29 have targeted foreign pharmaceutical companies and clinical researchers in pursuit of COVID-19 intellectual property, Prudhomme says. APT28, also known as Fancy Bear, is most well-known for its 2016 compromise of the U.S. Democratic National Committee and subsequent email data disclosure. APT29, also known as “Cozy Bear,” is most well known for its 2020 SolarWinds supply chain compromise of U.S. government agencies, he adds.
"The APT28 attacks on organizations with COVID-19 intellectual property used password spraying and brute force attacks to compromise credentials and thereby gain initial access," Prudhomme says.
"APTs should always be a consideration for any organization that has potentially sensitive information that might be of value to nation-state-sponsored actors, says Mark Lance, senior director of cyber defense at GuidePoint Security.
In the healthcare sector, medical records about innovative medical procedures, diagnosis, prescriptions, etc., are all information that could be used by sophisticated threat actors for targeting a specific person or organization, he says. "It’s important to remember that unlike other threats such as criminal threat actors, which commonly use ransomware and are monetarily motivated, most APTs are motivated by access to information and generally much more targeted in nature."
Entities can defend against such attacks by requiring employees to use multifactor authentication - preferably via mobile authenticator apps - and strong, unique passwords that they frequently change, Prudhomme says.
Kim of HIMSS says comprehensive implementation of basic and critical security controls is a must. "Advanced security controls, such as zero trust, would also be advantageous. When it comes to cybersecurity, human error is always the weakest link in any organization," she says.
"Frequent security awareness training and other anti-phishing controls need to be in place. But bear in mind that attackers need to find just one weakness, so we need to have a strong foundation," she says. That includes, but is not limited to, robust endpoint detection and response solutions, robust identity and access management, multifactor authentication and encryption for data at rest and in transit - followed by layering on more advanced controls, she suggests. "These controls should be fully implemented across the organization."
"While Russian-backed cyber gangs are certainly a menace to the global economy and cybersecurity everywhere, there are many other countries that have a plethora of cybercriminals."
—Jason G. Weiss, Faegre Drinker Biddle & Reath LLP
"Organizations can also use rate limiting to block IP addresses from which large numbers of failed logins originate in a short period of time," Weiss says.
He says the APT29 attacks on organizations with COVID-19 intellectual property involved scans of their public-facing infrastructure, including remote access services such as Citrix and VPNs, for already known vulnerabilities for which exploits were already publicly available.
"Organizations can defend against such attacks by ensuring the timely patching of their infrastructure. Remote access services should receive higher-priority patching due to their popularity as targets during the COVID-19 pandemic and the rise of the remote workforce."
Cyberattacks are a persistent global problem, Weiss says. "While Russian-backed cyber gangs are certainly a menace to the global economy and cybersecurity everywhere, there are many other countries that have a plethora of cybercriminals - China, Nigeria, North Korea and Myanmar, to name a few," he says.
"There are many other countries that have successful ransomware gangs and other elements of organized crime launching cyberattacks worldwide all day, every day. This is not just a 'Russian' problem, sadly."
On its website, CISA says it offers several scanning and testing services to help certain organizations - including federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure entities - reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.