HHS Warns of Potential Threats to the Healthcare Sector

Share this article on:

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the U.S. health sector about potential cyber threats that could spillover from the conflict in Ukraine and affect U.S. healthcare organizations.

HC3 said the HHS is unaware of any specific threats to the Health and Public Health (HPH) Sector; however, it is clear that allies on both sides of the conflict have cyber capabilities and there are fears that there could be cyberattacks on the HPH sector as a consequence of the conflict.

HC3 has warned that threats could come from three areas: Threat actors linked to the Russian government, threat actors linked to the Belarussian government, and cybercriminal groups operating out of Russia and its neighboring states. There is also potential for other cybercriminal groups to either get involved in the conflict or take advantage of the conflict to conduct unrelated cyberattacks.

“Russia has for several decades been one of the most capable cyber powers in the world. Going back to the Moonlight Maze attacks against the US Department of Defense in the 1990s, Russian state-sponsored actors have been believed to be behind some of the most sophisticated cyberattacks publicly disclosed. Specifically, they are known to target adversarial critical infrastructure in furtherance of their geopolitical goals,” warns HC3.

There are also highly capable cyber criminal organizations that operate out of Russia or have voiced their support for Russia, including the operators of Conti Ransomware. The Conti ransomware gang, which is widely believed to have also operated Ryuk ransomware, has extensively targeted the healthcare sector in the United States. The Conti ransomware gang engages in big game hunting, multi-stage attacks, and targets managed service providers and their downstream clients. The Conti ransomware gang engages in double and triple extortion, exfiltrating data prior to encryption and then threatening to publish the data and notify partners and shareholders if payment is not made.

HC3 believes that the Conti ransomware gang and/or other cybercriminal groups could either join in the conflict or take advantage of the conflict for financial gain. The threat group known as UNC1151 is believed to be part of the Belarussian military and has reportedly been conducting phishing campaigns targeting Ukrainian soldiers in January, and the Whispergate Wiper was used in cyberattacks in Ukraine, which have been linked to Belarus.

Whispergate is one of three wiper malware variants that have recently been identified. These wiper malware variants use ransomware as a decoy and drop ransom notes that claim files have been encrypted; however, the master boot record is corrupted rather than encrypted and there is no mechanism for recovery.

Another wiper dubbed HermeticWiper has been used in attacks in Ukraine since February 24, 2022, of which several variants have so far been identified, including a new wiper dubbed IsaacWiper.

While attacks involving these malware variants are currently concentrated in Ukraine, in 2017, NotPetya wiper malware was used in targeted attacks in Ukraine and was delivered through compromised tax software, but attacks involving the malware spread globally and affected multiple healthcare organizations in the United States.

All organizations in the HPH sector are strongly advised to adopt a heightened state of vigilance, take steps to improve their defenses, and review CISA guidance on mitigations and improving resilience to cyberattacks.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On