[BreachExchange] Hacking Hospitals And Holding Hostages: Cybersecurity In 2016

Audrey McNeil audrey at riskbasedsecurity.com
Tue Mar 29 21:32:32 EDT 2016


http://www.forbes.com/sites/kalevleetaru/2016/03/29/hacking-hospitals-and-holding-hostages-cybersecurity-in-2016/#7788bef33e2e

Yesterday morning MedStar Health became just the latest organization to
suffer the damage of a cyberattack in what early reports suggest may be yet
another ransomware attack. Unlike traditional cyberattacks designed to
exfiltrate records, delete data or physically damage computing systems,
ransomware attacks appear to be on the rise due to the ease in which such
extortion translates directly to money in the pockets of cyber criminals.
If MedStar’s cyberattack turns out to be ransomware, it would join at least
three other medical institutions breached in just the last few weeks.
Combined with the anonymity of bitcoin and the rise of targeted attacks
focused on soft targets like hospitals, 2016 is shaping up to be a
bountiful year in the extortion business.

While the underlying technology has been around for several decades,
ransomware has enjoyed a renaissance of sorts with the confluence of
improved targeting, the all-digital workplace and bitcoin to provide secure
anonymized funds transfer. Modern ransomware attacks increasingly target
small business, local government and medical institutions due to their
historically poor cyber posture. Medical facilities in particular are
proving to be a target-rich environment in that they are all too often a
hodgepodge of outdated systems and rushed employees with little cyber
training. Hospitals can ill-afford the downtime of restoring from backups
or shutting down their systems for extended periods of time and so may be
viewed in the eyes of cyber criminals as more likely to pay up without a
fight.

The Hollywood image of a hospital held hostage by hackers burst into
national headlines last month when Hollywood Presbyterian Medical Center
announced it had been infected by ransomware and elected to pay the ransom
in order to restore access to its files. The dystopian nightmare of an
entire city being held hostage has even become reality as municipalities
are finding their outdated IT infrastructure a severe liability.

As ransomware tactics have evolved, attacks have shifted from high-volume
blind targeting to carefully orchestrated breaches in which the attackers
sometimes burrow into a victim’s network for months in order to infect the
furthest corners of the network and encrypt or corrupt backup files, making
payment the only way to get back the missing data.

In the physical world, law enforcement acts as a deterrence to a group of
criminals raiding a hospital and holding its workers and patients hostage
and will respond quickly and in force to end any hostage situations that do
occur. In the cyber domain, however, law enforcement is largely absent,
unable to offer any meaningful deterrence or protection. When a cyber
hostage situation does occur, all police can do is conduct a postmortem at
best. Even if a victim is able to definitively identify its attackers, they
are frequently based outside of law enforcement jurisdiction and the legal
rights of a company to launch its own cyber operations to forcibly end an
attack and recover its data are murky at best.

Even banks are no longer safe in the cyber world. While robbing the New
York Federal Reserve is usually limited to Hollywood blockbusters the
Bangladesh Central Bank learned last month that bank robbers today are
increasingly using computers instead of guns when hackers transferred more
than 100 million dollars out of its accounts at the Federal Reserve. An
Austrian aerospace company similarly lost 54 million dollars this past
January when hackers got ahold of login credentials for its corporate
treasury management system. Government itself, including its most senior
intelligence and national security officials are no better off when a
single phishing email can redirect their home phone service and personal
email accounts.

Today such ransomware attacks are largely the work of criminal actors
looking for a quick payoff, but the underlying techniques are already part
of military planning for state-sponsored cyberwarfare. Russia showcased the
civilian targeting of modern hybrid operations in its attack on Ukraine’s
power grid, which included software designed to physically destroy computer
equipment. Even the US has been designing crippling cyberattack plans
targeting the civilian sector. In case its nuclear negotiations with Iran
failed, the US was prepared to shut down the country’s power grid and
communications networks.

Imagine a future “first strike” cyberattack in which a nation burrowed its
way deeply into the industrial and commercial networks of another state and
deployed ransomware across its entire private sector, flipping a single
switch to hold the entire country for ransom. Such a nightmare scenario is
unfortunately far closer than anyone might think.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160329/1cd4eb39/attachment.html>


More information about the BreachExchange mailing list