As the Russia-Ukraine conflict escalates, should we be worried about state sponsored cyber attacks against our hospitals?
Absolutely we should!
For the past decade and a half, the criminal underworld of the Russian Mafia and other organized crime syndicates in the former Soviet Union have provided a constant reminder of both the fallibility of modern IT systems and the tenacious expertise of Russian hackers and the cyber-criminal community. In what now seems like background white noise, these highly organized perpetrators have executed a near constant campaign of cybertheft, cyber-extortion, and denial of service attacks. Attacks have included a long list of crippling ransomware campaigns that have disabled entire national health systems like the Irish HSE in 2021, to the near bankrupting of several large private US health systems, to causing small medical and dental practices to have to close up shop. This has denied critical medical services to thousands of patients and contributed to increases in patient morbidity and mortality. Yes, Russian cyber criminals have killed innocent people, perhaps not directly or intentionally but nevertheless their greed and selfish actions have caused great pain and suffering to thousands. But, the capabilities of these gangs pales into insignificance when compared to the resources and capabilities of nation states.
WannaCry, which crippled much of UK and other international healthcare systems was a (heavily flawed) cyber weapon created by the DPRK to raise hard currency following international sanctions on Kim Jong Un's autocratic hermit kingdom. The DPRK's subsequent cyber weapons have been much less flawed, and have drained many cryptocurrency exchanges and large sums from the Bank of Bangladesh among a long list of victims. With the exception of its attack against Sony Pictures, Lazarus Group and other DPRK cyber forces operate very similarly to any other criminal enterprise raising cash for the Kim family's lavish living and to purchase rocket fuel for his ICBM program.
NotPetya, a highly destructive wiperware which initially masqueraded itself as a fake ransomware attack, hit the world right on the heels of WannaCry in 2017 and was quickly attributed to the Russian government, specifically the Sandworm hacking group within the GRU Russian military intelligence organization. Initially designed to target the Ukrainian MeDoc tax accounting application in a software supply chain attack, it quickly spread worldwide to any company and country doing business in Ukraine and took down many of the world's largest companies including shipping company Maersk, FedEx, pharmaceutical giant Merck, and French firm Saint-Gobain.
Each of these organizations spent hundreds of millions of dollars to restore data and systems that NotPetya had encrypted beyond repair. Not Petya destroyed tens of thousands of computer systems and resulted in losses in excess of $10bn USD globally. At this point, egg was firmly planted on Russia's face in the international community, especially when its cyber-weapon backfired on many Russian companies, infecting and destroying Russian computer systems at home.
The Russian Ukrainian Conflict
Step forward a few years to 2022 and Russia is up to its old tricks again. A few hours before Russian tanks began rolling into Ukraine, Microsoft raised the alarm warning of a never-before-seen piece of “wiper” malware it calls WhisperGate that appears aimed at the country's government ministries and financial institutions. ESET Research Labs, a Slovakia-based cybersecurity company, said it too had discovered a new ‘wiper' while security experts at Symantec's threat intelligence team said the malware had affected Ukrainian government contractors in Latvia and Lithuania and a financial institution in Ukraine. ESET has called the malware which renders computers inoperable by disabling rebooting, HermeticWiper. According to a CISA report the malware targets Windows devices, manipulating the master boot record, which results in subsequent boot failure.
The trouble with any kind of cyber weapon, no matter how targeted they are, is that these weapons do not recognize national boundaries and so are bound to get out into the global community of interconnected IT systems.
Fortunately, and so far at least, the HermeticWiper malware does not appear to be self-propagating, whereas NotPetya was able to spread quickly. The real danger is not just in the powerful nation state weapons, but with semi-professional hackers and organized crime syndicates. Russia has the world's largest non-state criminal cyber infrastructure, employing tens of thousands who are engaged full time in cybercrime, cybertheft, and cyber-extortion.
Putin has turned a blind eye to their criminal activities for decades, allowing these groups to grow and prosper. These criminals are already using the smokescreen of conflict in Ukraine to launch fresh ransomware attacks against the west, and evidence suggests that Putin has recently instructed them to go all out to help Mother Russia. Putin has organized a personal crusade of military tectonic and cyber offensive capabilities, and paired this with an extensive criminal underground in an attempt to overwhelm the west.
On the other side, the call has gone out for Ukrainian cyber gangs to launch an all-out offensive against the institutions of the Russian Federation, and they have been joined by Anonymous and many other international hacktivists. If we are to believe the reports coming out of Russia, then many of the Kremlin's public systems have been taken down by cyber-attacks. This tit-for-tat action risks serious escalation, and Russia, which is widely acclaimed to have invented the concept of cyber-warfare during its two wars against Chechen separatists, is sure to have some very powerful, very devastating cyber weapons in its war chest.
Of course, so too does the USA, UK, and many other countries. If ever launched, these weapons would wreak devastation akin to a nuclear war and wipe out just about anything electronic. Given our reliance upon IT systems today, especially in hospitals this would not end well for patients, resulting in a significant rise in patient morbidity and mortality. The trouble for the west is that these cyber weapons would cause far greater damage to advanced western institutions than to former Soviet ones in Russia, Belarus, Kazakhstan, and Chechnya supporting Putin.
We should be taking every precaution to patch all systems, ensuring the legitimacy of patches by examining hash values, by enforcing multi-factor authentication for all users, and by disconnecting systems which cannot be properly secured. Staff should be briefed on the need for heightened awareness and told to take extra precautions in their day-to-day activities. But first we need to fully understand what is connected to our networks and who is accessing our systems. In this day and age of heightened threats, we need to understand what is 'normal' so that abnormal or 'anomalous behavior' can be flagged and quickly isolated. The inconvenience of kicking a user off of a system should be far less of a concern than the safety of a patient on life support.
Stay tuned for more expert insights into current events.
The CrowdStrike Intelligence team in a recent blog post has indicated that the HermeticWiper ransomware launched against Ukraine which CrowdStrike calls PartyTicket or DriveSlayer fails to properly initialize the encryption key, making the encrypted file recoverable. See CrowdStrike's blog for more details.