Organizations
in
the
US
healthcare
and
public
health
sector
are
among
the
top
targets
for
state-sponsored
North
Korean
cyber-threat
actors
seeking
to
fund
espionage
activities
via
ransomware
and
other
attacks.
That’s
the
assessment
of
the
US
Cybersecurity
and
Infrastructure
Security
Agency
(CISA),
the
FBI,
the
US
Department
of
Health
and
Human
Services,
and
South
Korean
intelligence
agencies.
In
a
joint
advisory
Feb.
9,
the
group
described
the
North
Korean
government
as
using
revenues
—
in
the
form
of
cryptocurrency
—
from
these
ransomware
attacks
to
fund
other
cyber
operations
that
include
spying
on
US
and
South
Korean
defense
sector
and
defense
industrial
base
organizations.
State-Sponsored
Ransomware
Attacks
With
a
Mission
“The
authoring
agencies
assess
that
an
unspecified
amount
of
revenue
from
these
cryptocurrency
operations
supports
DPRK
national-level
priorities
and
objectives,”
the
advisory
said.
The
alert
also
cautioned
ransomware
victims
in
healthcare
and
critical
infrastructure
sectors
against
paying
ransoms.
“Doing
so
does
not
guarantee
files
and
records
will
be
recovered
and
may
pose
sanctions
risks,”
it
said.
There
is
little
in
the
advisory
to
indicate
whether
it
was
prompted
by
new
threat
intelligence
or
word
about
imminent
attacks.
But
it
comes
amid
a
continuing
increase
in
ransomware
attacks
against
healthcare
entities
overall.
A
report
by
the
Journal
of
the
American
Medical
Association
(JAMA)
earlier
this
year
identified
a
doubling
in
the
number
of
ransomware
attacks
against
healthcare
entities
between
2016
and
2021.
Of
the
total
374
ransomware
attacks
on
US
healthcare
organizations
during
that
period,
some
44%
disrupted
heathcare
delivery.
The
most
common
disruptions
included
systems
downtime,
cancellations
of
scheduled
care,
and
ambulance
diversions.
JAMA’s
study
found
an
increase
especially
in
ransomware
attacks
against
large
healthcare
organizations
with
multiple
facilities
between
2016
and
2021.
A
June
2022
report
from
Sophos
showed
66%
of
healthcare
organizations
experienced
at
least
one
ransomware
attack
in
2021.
Sixty-one
percent
of
those
attacks
ended
with
the
attackers’
encrypting
data
and
demanding
a
ransom
for
the
decryption
key.
“Healthcare
saw
the
highest
increase
in
volume
of
cyberattacks
(69%)
as
well
as
the
complexity
of
cyberattacks
(67%)
compared
to
the
cross-sector
average
of
57%
and
59%
respectively,”
Sophos
said.
New
Intel,
New
Tactics
CISA’s
latest
cybersecurity
advisory
this
week
updates
its
earlier
guidance
on
state-sponsored
ransomware
attacks
from
North
Korea
directed
against
the
US
healthcare
and
public
health
sector.
It
highlighted
multiple
tactics,
techniques,
and
procedures
(TTPs)
that
North
Korean
cyber
actors
are
currently
employing
when
executing
ransomware
attacks
against
healthcare
targets.
Most
of
the
TTPs
are
typical
of
those
observed
with
ransomware
attacks
and
include
tactics
like
lateral
movement
and
asset
discovery.
The
advisory
also
highlighted
several
ransomware
tools
—
and
associated
indicators
of
compromise
(IoCs)
—
that
North
Korean
actors
have
been
using
in
attacks
on
healthcare
organizations.
Among
them
were
privately
developed
variants
such
as
Maui
and
H0lyGh0st
and
publicly
available
encryption
tools
such
as
BitLocker,
Deadbolt,
Jogsaw,
and
Hidden
Tear.
“In
some
cases,
DPRK
actors
have
portrayed
themselves
as
other
ransomware
groups,
such
as
the
REvil
ransomware
group,”
in
an
attempt
to
evade
attribution,
the
advisory
said.
In
addition
to
obfuscating
their
involvement
by
operating
with
other
affiliates
and
foreign
third
parties,
North
Korean
actors
frequently
use
fake
domains,
personas,
and
accounts
to
execute
their
campaigns,
CISA
and
the
others
said.
“DPRK
cyber
actors
will
also
use
virtual
private
networks
(VPNs)
and
virtual
private
servers
(VPSs)
or
third-country
IP
addresses
to
appear
to
be
from
innocuous
locations
instead
of
from
DPRK.”
The
advisory
highlighted
some
of
newer
software
vulnerabilities
that
state-backed
groups
in
North
Korea
have
been
exploiting
in
their
ransomware
attacks.
Among
them
were
the
Log4Shell
vulnerability
in
the
Apache
Log4j
framework
(CVE-2021-44228)
and
multiple
vulnerabilities
in
SonicWall
appliances.
CISA’s
recommended
mitigations
against
the
North
Korean
threat
included
stronger
authentication
and
access
control,
implementing
the
principle
of
least
privilege,
employing
encryption
and
data
masking
to
protect
data
at
rest,
and
securing
protected
health
information
during
collection,
storage,
and
processing.
The
advisory
also
urged
healthcare
entities
to
maintain
isolated
backups,
develop
an
incident
response
plan,
update
operating
systems
and
applications,
and
monitor
remote
desktop
protocol
(RDP)
and
other
remote
access
mechanisms.
About Author
