The United States (US) Federal Bureau of Investigation (FBI) warned that Russian hackers are targeting hundreds of US hospitals now grappling with the coronavirus pandemic.
The attacks are happening as the nation hardest hit by SARS-CoV-2, with countless people dead and over eight million cases, is gearing up for the final leg of its presidential election.
“CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers,” read an advisory by the US government.
CISA stands for Cybersecurity and Infrastructure Security Agency, while HHS refers to Health and Human Services department.
The FBI said it is sharing the information so healthcare providers can take timely and reasonable precautions to protect their networks from the threats.
Said agencies reported that the hackers use the TrickBot network of infected computers to deploy Ryuk, a burrowing and aggressive ransomware.
Mandiant, a private security firm, issued a parallel advisory and a set of indicators so organizations can determine whether they are under attack.
Charles Carmakal, the chief technology officer of Mandiant, said the attacks are “the most significant cyber security threat we’ve ever seen in the United States.”
Carmakal describe the hackers’ group as “one of the most brazen, heartless, and disruptive threat actors I’ve observed over my career.” Several US hospitals have already come under attack in the past few days, he said.
“The intention by the threat actor is to hit hundreds of other organizations out there,” he said. “Most threat actors don’t want to deliberately hit hospital organizations.”
“There’s an ethical line and they choose not to cross it. This particular actor, they have no problem crossing the line. They’re actively targeting healthcare and hospital organizations.”
The hospitals so far attacked are the Universal Health Services in Pennsylvania; St. Lawrence Health Systems in New York; and the Sky Lakes Medical Center in Oregon.
Microsoft partnered with security experts two weeks ago to disrupt TrickBot by shutting down 62 of its 69 command servers. The hackers responded by cobbling up 59 new servers but the Microsoft group took out all but one.
“The challenge here is because of the attempted takedowns, the TrickBot infrastructure has changed and we don’t have the same telemetry we had before,” Alex Holden, founder of Milwaukee-based Hold Security, said.
The Microsoft-led counter has forced the group to use new tactics, including targeting routers and similar Internet of things devices.