A joint cybersecurity advisory has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Department of Health and Human Services (HHS), and the Republic of Korea’s Defense Security Agency and National Intelligence Service warning of state-sponsored North Korean (DPRK) ransomware attacks on U.S. critical infrastructure organizations. The agencies have gathered increasing evidence that DPRK threat actors are conducting the attacks to obtain ransom payments to support DPRK national-level priorities and objectives, and the U.S. healthcare and public health (HPH) sector is one of the primary targets.
“The North Korean actor behind these incidents, best known as Andariel, has been carrying out a targeted global ransomware campaign against hospitals and healthcare providers. Hospitals that are already under enormous pressure have experienced major disruptions, most of which have gone unnoticed to the public,” John Hultquist, Head of Mandiant Intelligence Analysis – Google Cloud, told the HIPAA Journal. “In many cases, hospitals have quietly recovered their systems or paid out the ransom without ever reporting the incident or even knowing they were dealing with North Korean spies. This suits the North Koreans who can’t be legally paid due to sanctions. They often hide their identity by claiming to be known ransomware operators.”
Andariel has used multiple ransomware variants in their attacks, especially strains such as Maui and H0lyGh0st, although the authoring agencies have identified DPRK involvement with attacks using BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom. Exploits for a range of common vulnerabilities and exposures (CVEs) are used to gain initial access to networks and escalate privileges, with recent exploits including the Log4Shell vulnerability in Apache Log4j software library (CVE 2021-44228), and unpatched vulnerabilities in SonicWall appliances (CVE-2021-20038) and TerraMaster NAS devices (CVE-2022-24990).
There are sanctions risks for organizations paying ransom demands to North Korean threat groups. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has designated numerous malicious actors under its cyber-related sanctions program, including Andariel. To get around these restrictions, the DPRK threat actors obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments. Virtual private networks (VPNs), virtual private servers (VPSs), and third-country IP addresses are used to make it appear that the attacks did not originate in the DPRK.
“Andariel’s core mission is to gather intelligence for the North Korean state, targeting the government, the defense sector, journalists, among others. In contrast to some of their peers who are solely focused on filling state coffers, Andariel appears to use crime as a means to self-fund their operations,” explained Hultquist. “Cybercrime is a lifeline for the North Korean regime and necessary to keep their cyber capabilities afloat. They are unlikely to be deterred anytime soon, so the impetus is on us to step up and defend our hospitals, before someone gets hurt.”
The cybersecurity advisory includes details of the tactics, techniques, and procedures used by the DPRK threat actors, along with Indicators of compromise (IoCs) and recommended mitigations.
The post Warning Issued About North Korean Ransomware Attacks on Healthcare Organizations appeared first on HIPAA Journal.