[BreachExchange] Attack on Health Dept. Computers Was “Ransomware,” Hogan and Cyber Czar Acknowledge

[Terrell Byrd]

https://www.marylandmatters.org/2022/01/12/attack-on-health-dept-computers-was-ransomware-hogan-and-cyber-czar-acknowledge/

Gov. Lawrence J. Hogan Jr. and top Maryland Department of Health officials
acknowledged for the first time Wednesday that the perpetrators of the
attack on the agency’s computer system sought a ransom payment from the
state.

The state has not paid those responsible for the attack, Hogan (R) said.

“Unlike Texas and I think a couple of other dozen states, we haven’t lost
hundreds of millions of dollars, and we haven’t compromised millions of
peoples’ data,” he said. “But it’s a big issue. It’s a ransomware attack
and they’re targeting health departments across the country.”

Prior to Wednesday’s announcement, officials would only refer to the Dec. 4
attack on the agency’s network as an “incident.” On Wednesday morning,
Maryland Matters published a report on the broad impacts the outage
continues to have on the state health department and the 24 local health
departments who work closely with MDH.

“While the investigation is ongoing — and occurring on a parallel track to
our restoration efforts — we can confirm this much today: this was, in
fact, a ransomware attack,” said Maryland Chief Information Security
Officer Chip Stewart in a statement. Stewart described the unidentified
attackers’ demand as “an extortion payment.”

Ransomware attacks, which frequently originate overseas, prevent government
agencies and businesses from accessing their own information and data
systems until the entity under siege makes a payment.

Stewart said that the state has not made any such payment and, at his
recommendation “after consulting with our vendors and state and federal law
enforcement, will not be doing so.”

Law enforcement and cybersecurity authorities have observed that health and
hospital systems are increasingly being targeted by malicious actors during
the pandemic, Stewart said.

For nearly six weeks, the Department of Health and local health authorities
have been struggling to recover from the ongoing repercussions of the
attack. Hogan and state health and cybersecurity officials have been
tight-lipped about the investigation.

Atif T. Chaudhry, the deputy secretary of operations for the Department of
Health, said that the agency and the Department of Information Technology
are working closely to resolve the remaining problems caused by the attack,
and are coordinating with the federal government.

Stewart said Wednesday that “to this point” in the ongoing investigation,
there has been no evidence that state data was compromised.

On Thursday, the House Health and Government Operations and Senate
Education, Health and Environmental Affairs — along with the Joint
Committee on Cybersecurity, Information Technology and Biotechnology — will
hold a hearing online at 1 p.m. to learn more details about the attack.
Some of the hearing could be held offline, to avoid the release of
sensitive details.

Detailing what happened

According to Stewart, the Department of Health’s network team detected a
malfunctioning server in the early hours of Dec. 4 and immediately began
troubleshooting the problem.

After identifying issues they felt warranted deeper investigation, the
problem was passed on to the agency’s IT Security Team which alerted the
chief information security officer for the Department of Health, Stewart
said.

He was notified shortly after and launched the state’s cybersecurity
incident response plan, which triggered alerts to Maryland’s Department of
Information Technology, the Department of Emergency Management, the State
Police, the Governor’s Office of Homeland Security and the Maryland
National Guard.

Stewart said that he also notified the FBI and the U.S. Department of
Homeland Security’s Cybersecurity and Infrastructure Security Agency, and
activated Maryland’s cybersecurity insurance policy through the state
treasurer’s office. The insurance policy allows outside resources to advise
the state on its recovery process.

At this point, Stewart said, the agency’s websites on its network were
ordered to be isolated from each other, other state agency sites and the
internet as a whole.

He said the network isolation has continued to render some systems
unavailable.

“I want to be clear: this was our decision and a deliberate one, and it was
the cautious and responsible thing to do for threat of isolation and
mitigation,” Stewart said.

Since the attack began, some public-facing databases — notably the state’s
COVID-19 data dashboard — have come back online.

Many others, including resources that report communicable disease data and
lab results and systems that support participants in Maryland’s AIDS Drug
Assistance Program, are still not operational, sources told Maryland
Matters.

Stewart warned against recovering services too quickly, which can lead to
agencies needing to restart recovery efforts multiple times.

“I cannot stress how important this point is — in order to protect the
state’s network and the citizens of the state of Maryland, we are
proceeding carefully, methodically, and as expeditiously as possible, to
restore data services,” he said.

In the meantime, Chaudry said that the Department of Health’s business
units have been operating on continuity of operations plans to allow its
programs to keep “performing essential functions in the event of an
emergency or interruption of services — such as an attack.”

According to Chaudry, continuity of operations plans were implemented on
Dec. 4. The agency has since prioritized certain functions.

“In this instance, we are using a tiered system that is focused on mission
critical and life-safety business functions,” Chaudry said. “This
prioritization of the Department’s affected functions has led to the
development of a Critical Path for recovery and bringing systems back
online.”

Union officials have blown the whistle, saying that their members employed
through the Department of Health have been without their work computers
since the attack began.

According to Chaudry, agency employees have been using Google Workspaces to
share and save files online, and the department has procured printers,
wireless hotspots and 2,400 laptops with plans to secure 3,000 more.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220113/716bea8c/attachment.html>