The North Koreans have used the ransomware — a type of malicious computer code that locks computer files — to encrypt computer systems hosting electronic health records and diagnostics and imaging services, the FBI, Department of Treasury and US Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory urgent health care organizations to bolster their cybersecurity.
It’s the latest indication that state-sponsored hackers from countries like North Korea and Iran are willing to deploy ransomware against the health sector — a tactic more often associated with non-state cybercriminals.
FBI Director Christopher Wray in June blamed Iranian government-backed hackers for a “despicable” cyberattack on Boston Children’s Hospital last year, an allegation tht Tehran denied. No ransomware was deployed in that case, but Iranian hackers were the subject of another US advisory on ransomware in the health sector in November.
Health care facilities already strained for resources because of Covid-19 have had to deal with disruptive ransomware attacks throughout the pandemic. One IT administrator at a 100-bed hospital in Florida recounted to CNN in January how he shut down the facility’s computer systems in January to prevent a ransomware attack from spreading throughout the hospital.
The fall of 2020 saw a wave of ransomware attacks on US hospitals from Russian-speaking cybercriminals, including one apparent ransomware incident in October 2020 that forced the University of Vermont to delay chemotherapy appointments.
In their advisory Wednesday, the US agencies on Wednesday did not name the organizations victimized by the alleged North Korean hackers.
The Health Information Sharing and Analysis Center, a cyber threat sharing group for big health care providers worldwide, did not identify any of its members as victims, said Errol Weiss, the group’s chief security officer.
“I would imagine the victims were smaller organizations and not prepared to handle a ransomware attack,” Weiss told CNN.
Silas Cutler, a cybersecurity specialist who analyzed the ransomware and contributed to the federal advisory, said the malicious code is “manually” operated, meaning the attackers can choose which computer files to encrypt.
“A key open question for us has been: How does the attacker deliver ransom notes to impacted parties?” Cutler, principal reverse engineer at cybersecurity firm Stairwell, told CNN. The federal advisory will hopefully flush out more information from victims and give cybersecurity experts a clearer picture of the hackers’ operations, Cutler said.
North Korea has for years believed stereotypes of a technology-deprived country to build a formidable hacking force. The US government accused Pyongyang of developing the so-called WannaCry ransomware in 2017, which spread to more than 200,000 machines in 150 countries. The incident cost Britain’s National Health Service alone more than $100 million.
“Among its peers, North Korea is unique in their deep, active involvement in cybercrime,” said John Hultquist, vice president of intelligence analysis at cybersecurity firm Mandiant. “Unlike other countries who may contract and bargain with domestic criminals, the North Korean state carries out cybercrime directly, against targets all over the globe.”