A look at the standard procedure for attacks targeting hospitals
This blog is part two of a two-part series. In the previous post we gave an overview of what happened, and here we’ll take a deeper look at how a cyber attack like this one works and is prevented.
Bleeping Computer have shared that the Russia-based cybercrime group “Wizard Spider” is believed to be responsible for the attack on Ireland’s Health Service Executive, and shared an outline of their typical method of attack which is as follows. Operatives typically begin an attack with phishing e-mails. These will carry a link to a document which will infect the computer with TrickBot or BazarLoader. These two programs are “trojan” or “backdoor” malware, which can be used to remotely control infected machines or deploy other malware.
With one endpoint compromised, they begin stealing credentials and data. Each set of credentials they steal is a stepping stone to escalated privileges on the network and wider access, meaning that each attack grows exponentially. Once the attacker is satisfied with the access and upload privileges they’ve stockpiled, they will wait for a lull in user activity during the week (often a holiday, for example) and then launch ransomware to encrypt and lock every computer on the network and send a note threatening to release stolen data if ransom demands are not met. This is a typical procedure for modern APT (Advanced Persistent Threat) groups.
Specialized ransomware is spreading like wildfire through organizations that are unprepared for the full attention of cybercrime, and it is challenging to make the time for SAE (Security Awareness Education) in the bustling medical environment, but it’s worth noting that SAE goes a long way towards stopping the phishing that serves as the springboard for these kinds of attacks. With the global COVID pandemic, healthcare workers are already working double time, and exhaustion plays a role in making even experienced staff more susceptible to trickery. Given healthcare’s essential role in human society, this creates a perfect target for cyber attacks designed to throw overburdened mission-critical systems into catastrophe. One answer to this is deploying techniques that are as easy to use as they are to understand, and which naturally resist misoperation.
The perfect solutions for hospitals are lightweight and comprehensible – two examples might be the trust list and network segmentation. The straightforward technology of the trust list disallows any operations or changes that are not already listed, making it perfect for securing fixed-use systems from attack. We recommend our own StellarEnforce for this type of lockdown on legacy endpoints. Network segmentation, on the other hand, is a method by which endpoints only communicate with other endpoints they need to talk to in order to do their work, making it much more difficult for hackers to move laterally through the network or for threats to spread. While hospital attacks are typically IT-focused right now, it will not be long before they cross the boundaries of IT into OT as they have in many other fields, making next-generation appliances like EdgeFire a solid choice for robust defense.