[BreachExchange] Computer systems at UK and UK HealthCare hobbled by massive, month-long cyber attack

[Destry Winant]

https://www.kentucky.com/news/local/education/article240970221.html

The University of Kentucky and UK HealthCare conducted a major reboot
of their computer systems early Sunday morning in an effort to end a
month-long cyber attack that university officials say is the most
substantial cyber intrusion in university history.

The unidentified “threat actors” infiltrated Kentucky’s largest
university system in early February from somewhere outside the United
States and installed malware that utilized UK’s vast processing
capabilities to mine cryptocurrency, such as Bitcoin, said Eric
Monday, UK’s executive vice president for finance and administration.

The protracted intrusion, which the university believes it resolved
early Sunday morning during a campus-wide network outage, has
repeatedly caused a slowing or temporary failure of computer systems
used by students and employees, an effect that was likely “most acute”
on the health care side, said university spokesman Jay Blanton.

Blanton insisted that “patient safety [and] access to care was never
compromised,” but day-to-day functions were likely interrupted, even
repeatedly.

There is “no evidence” that “any personal health information or any
other sensitive data was downloaded or accessed,” Monday said, meaning
there’s no need to offer credit monitoring or other protections to
faculty, staff, students or patients, he said.

UK HealthCare, which includes UK Chandler Hospital and Good Samaritan
Hospital in Lexington, has close to 2 million registered patients.
When asked whether any private information of the university’s
students, faculty and patients was vulnerable at any point, Monday
said it was “hard to determine,” but that the “risk to people’s
information is much lower today than it was a month ago.”

UK Chandler Hospital is housing in isolation Kentucky’s first
confirmed patient with novel coronavirus, or COVID-19, but Blanton
said officials “don’t anticipate” the cyber attack will have any
impact on that patient’s care.

The attack did not escalate to include the installation of ransomware
— where attackers essentially lock a system’s information until a
ransom is paid to the hacker — but costs to harden network security
and eject the hacker are already upwards of $1.5 million, Blanton
said. Included in that cost is the internal investigation UK launched
with the help of an outside forensic firm, consultations with
cybersecurity experts, and the installation of CrowdStrike security
software to protect against future attacks.

These types of costly attacks, which often target private and public
entities, including cities, schools, and hospitals, have become more
common in recent years. In 2019, more than 205,000 organizations
admitted their files had been hacked with ransomware, according to The
New York Times.

Park DuValle Community Health Center in Louisville paid cyberattackers
$70,000 last year to unlock patient medical records.

Monday said UK’s system is pinged daily, sometimes every few minutes,
by attackers trying to penetrate the system, and most fail. The set of
sophisticated hackers who have been in UK’s system since early
February entered through a university server outside UKHealthCare, he
said.

UK and other large organizations with vast computer systems are
particularly appealing venues for hackers intent on mining large
volumes of cryptocurrency because of their system’s powerful
processing capabilities, said University of Louisville Associate
Professor of Computer Science and Engineering Dr. Adrian Lauf.

Mining cryptocurrency is an extraordinarily complicated process that
involves validating other people’s transactions with sophisticated
computing power and then adding them to the blockchain — the long,
public list of all transactions. In exchange, people are paid with
cryptocurrency.

The value of cryptoassets are “not all that high,” unless, for
example, a hacker can infiltrate a large processing system to mine
cryptocurrency, in which case it increases one’s “prospects of getting
a return on your investment,” Lauf said.

But even at that scale, the return for mining cryptocurrency is
nowhere near the value of patient health information, which is why
Lauf said he was “surprised that, given the value of [public health
information], it was not taken.”

“It’s like breaking into a bank to go steal something from the vending
machine,” he said.

Mining at that scale takes up tremendous amounts of network bandwidth,
clogging normal network functions and slowing down the overall
functionality of the processing system.

The university’s remediation efforts culminated early Sunday morning,
when UK information technology services powered down the entire system
and severed Internet access in order to kick the attackers out and
further harden the system against anyone who tries to reenter.

Blanton said in a statement that the process, which took about three
hours, was successful in “mitigating the existing cyber threat,” and
that the university “will continue to power on systems and monitor
them throughout the morning.”

University officials described the system darkening as “widespread
technical maintenance” in an internal email sent to students, faculty
and staff Saturday night.

UK President Eli Capilouto, in a Sunday morning email to students,
faculty and staff, said “it was necessary to limit the information
provided” about the network outage overnight until it was clear the
system reboot was complete.

The university and its cybersecurity partners are “confident in our
response,” Capilouto said, adding, “as always, the security of our
community will remain our top priority.”