The FBI, CISA, and the US Treasury are warning that state-sponsored North Korean hackers are using ransomware to target healthcare and public health institutions across the United States.
in joint consultant US government agencies, published on Wednesday, said they had observed North Korean-backed hackers spreading Maui ransomware since at least May 2021 to encrypt servers responsible for healthcare services, including electronic health records, medical imaging, and entire intranets.
The advisory reads: “The FBI assesses state-sponsored cyber actors in North Korea and spread Maui ransomware against healthcare and public health sector organizations.” “North Korea’s state-sponsored cyber actors would likely assume that healthcare organizations are willing to pay a ransom because these organizations provide services essential to human life and health. Because of this assumption, the FBI, CISA, and the Treasury are assessing that it is likely to continue State-sponsored actors in North Korea in targeting [healthcare] organizations. “
The advisory notes that in many of the incidents observed and responded to by the FBI, the Maui ransomware caused the disruption of health care services for “extended periods”.
The island of Maui was first identified by Stairwell, a startup aimed at helping organizations determine if it has been hacked, in early April 2022. In ransomware analysisSilas Cutler, principal reverse engineer at Stairwell, notes that Maui lacks many features common in tools from ransomware-as-a-service (RaaS) providers, such as a built-in ransom note or automated means to send cryptographic keys to attackers. Instead, Stairwell concluded that Maui could potentially be spread manually across victims’ networks, with remote operators targeting specific files they wanted to encrypt.
North Korea has long used cryptocurrency thefts to fund its nuclear weapons program. In an email, John Holtquist, vice president of Mandiant Intelligence, said that as a result ransomware is “a no-brainer” for the North Korean regime.
Ransomware attacks on healthcare is an interesting development, in light of the focus these actors have shown on this sector since the advent of COVID-19. “It is not uncommon for an actor to generate income that may have been initially obtained as part of a cyber espionage campaign,” Hultquist said. We have recently noticed that North Korean actors have shifted their focus away from healthcare goals to other traditional diplomatic and military organizations. Unfortunately, healthcare institutions are extraordinarily vulnerable to extortion of this kind due to the disastrous consequences of the disruption.”
The advisor, which also includes indicators of compromise (IOCs) and information on tactics, techniques, and procedures (TTPs) used in these attacks to help network defenders, urges organizations in the healthcare industries to strengthen their defenses by limiting data access and shutting down network device management interfaces, and using monitoring tools to monitor whether IoT devices have been compromised.
“The FBI, along with our federal partners, remains vigilant in combating malicious North Korean cyber threats to our healthcare sector,” said Assistant Director of the FBI’s Internet Division Brian Forendran. “We are committed to sharing information and mitigation methods with our private sector partners to help them strengthen their defenses and protect their systems.”
The latest warning to the US government came on the heels of a series of high-profile cyber attacks targeting healthcare institutions. The University Medical Center of Southern Nevada Was attacked by ransomware In August 2021, files containing protected health information and personally identifiable information put Eskenazi Health at risk He said In October, cybercriminals gained access to their network for about three months. Last month, Kaiser Permanente confirmed that an employee email account breach resulted in the theft of 70,000 patient records.
