The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

The latest cyberattack on health care shows how vulnerable the sector is

Analysis by

with research by Aaron Schaffer

January 23, 2023 at 7:19 a.m. EST
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Aubrey Plaza is a national treasure.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning. 

Below: Cybercriminals stole more than $500,000 from a senator’s campaign committee, and T-Mobile is again hacked. First:

Apparent BlackCat ransomware attack demonstrates risks to health-care sector, vendors

An apparent ransomware attack on a major electronic health records company demonstrates the vulnerability of the health-care sector to potentially disastrous cyberattacks.

The cyber incident impacted NextGen Healthcare last week. It apparently took place at the hands of a ransomware group that the Department of Health and Human Services warned about earlier this month.

The company says it doesn’t look like the hackers obtained any client data or patient data. The suspected Russian ransomware group that claimed responsibility, BlackCat, put an alleged sample of NextGen information on its extortion site — typically used to compel victims to pay or risk further exposure — but later took down the NextGen listing.

However the NextGen incident plays out in the end, it highlights trends of attacks on major vendors and the health-care system.

What happened (according to those involved)

Founded in 1974, the Atlanta-based NextGen Healthcare claims 2,800 employees and reported revenue of nearly $600 million in 2022. It says it provides software and technology services in “ambulatory” settings, a term that ranges from physician offices to outpatient clinics, and has helped more than 2,500 health-care organizations across the world. 

Here’s what NextGen told us happened in response to inquiries about the BlackCat extortion site listing:

  • “NextGen Healthcare is aware of this claim and we have been working with leading cybersecurity experts to investigate and remediate. We immediately contained the threat, secured our network, and have returned to normal operations. Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client or patient data. The privacy and security of our client information is of the utmost importance to us.”

A purported spokesperson for BlackCat (also known as ALPHV) refused to provide further proof of obtaining client data.

It’s not uncommon for companies to learn later that a breach was more extensive than originally believed. It’s also not uncommon for cybercriminals to lie about what kind of data they’ve stolen, or boast that they’ve stolen something they never did.

Attack trends

BlackCat is “a relatively new but highly-capable ransomware threat to the health sector,” according to an HHS threat briefing dated Jan. 12. It’s not the first time U.S. authorities have issued warnings about the group.

  • HHS dubbed it a “triple-extortion” group, marked by ransomware attacks that accompany threats to leak data and conducted distributed denial-of-service attacks intended to knock websites offline.
  • It has ties to older, infamous Russian ransomware gangs, such as Darkside/Black Matter and REvil.
  • The group has said it doesn’t “attack state medical institutions, ambulances, hospitals,” but that the “rule does not apply to pharmaceutical companies, private clinics.” HHS notes that ransomware gangs have frequently broken these promises.
  • BlackCat favors U.S. targets, according to HHS, which is not uncommon for ransomware gangs, many of which are believed to be based in Eastern Europe.

The ransomware risks for health-care organizations are severe, including potentially causing patient death. North Korean and Iranian hackers have demonstrated particular interest in pursuing attacks on the sector.

Companies that are vendors for other firms are a prominent way for ransomware gangs and other cybercriminals to expand their reach. Notable incidents include:

  • In 2021, REvil got into a software system developed by Kaseya, which in turn affected what Kaseya estimated to be 800 to 1,500 businesses.
  • Suspected Russian hackers accessed SolarWinds software as a means of obtaining access to U.S. government agencies, government organizations around the world and major tech companies.
  • Specifically in the health-care sector, a ransomware incident in the United Kingdom last summer affecting a service provider caused issues for the country’s National Health Service.

Regardless of how the NextGen incident turns out, it’s one episode in an eventful start to 2023 for ransomware. This year has seen the usual array of attacks and disclosures mixed in with some unusual reversals.

  • Restaurants in the U.K., including KFC, Pizza Hut and Taco Bell, had to shut down after a ransomware attack on parent company Yum!, the company said Wednesday.
  • The Los Angeles Unified School District earlier this month acknowledged that ransomware hackers last year stole employee Social Security numbers.
  • On New Year’s Eve, the LockBit gang apologized for what it said was an affiliate hacking a children’s hospital in Canada, and offered the hospital a decryptor to unlock its systems.
  • A study by blockchain analytics company Chainalysis released over the weekend suggested that ransomware payments were down in 2022, as more victims appeared to refuse forking over ransoms to crooks holding their networks hostage. But ransomware criminals continue to use cryptocurrency, contributing to illicit crypto activity reaching an all-time high last year, the firm concluded in another report this year.

Corrected, 1/23/2023: to reflect the statement NextGen sent to the Post about patient data.

The keys

Cybercriminals steal more than $500,000 from GOP senator’s campaign committee

They stole the money after sending phony invoices to Moran for Congress, the campaign committee for Sen. Jerry Moran (R-Kan.), Raw Story’s Dave Levinthal reports. The committee has recovered around a quarter of the stolen funds, which amounted to $690,000, it said in a Federal Election Commission filing.

“Cybercriminals targeted the accounting firm employed by Moran For Kansas and money was wired to fraudulent bank accounts,” Moran for Kansas spokesman Tom Brandt told Raw Story in an email. “As soon as a discrepancy was realized, it was reported to law enforcement. We are currently pursuing all avenues available to recover the money and there is an ongoing investigation with the FBI. The campaign also consulted with the FEC on how to transparently report the unauthorized expenditures.”

Cybercriminals have targeted other political campaigns as well. “Joining Moran among the federal-level politicians to experience thefts from their campaign accounts in recent years is President Joe Biden, whose 2020 Democratic presidential campaign committee lost at least $71,000,” Levinthal writes. “The Republican National Committee, Rep. Diana Harshbarger (R-TN), former Democratic presidential candidate and congresswoman Tulsi Gabbard and rapper-turned-2020 presidential candidate Ye, formerly Kanye West, are among others who reported money stolen from their political accounts.”

T-Mobile got hacked — again

T-Mobile said the hacker stole information like names, addresses, emails, phone numbers, birth dates and account numbers on as many as 37 million customers, TechCrunch’s Lorenzo Franceschi-Bicchierai reports. It’s the eighth time the phone carrier — which has 110 million customers — has been hacked since 2018.

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” the company said in a Securities and Exchange Commission filing.

A spokesperson for the company didn’t respond to TechCrunch’s request for comment.

A hacker found the sensitive U.S. no-fly list on an open server

Swiss hacker maia arson crimew found the list — which includes people not allowed to fly in or to the United States — on a server run by a regional U.S. airline, the Daily Dot’s Mikael Thalen and David Covucci report.

“The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” CommuteAir spokesman Erik Kane told the Daily Dot. “In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”

The Transportation Security Administration told the Daily Dot that it’s “aware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners.” 

U.S. law enforcement has noticed the hacker, crimew, before. In 2021, a grand jury indicted crimew, accusing the hacker of breaching “dozens of companies and government agencies.” Crimew was also a member of a group of hackers who breached security camera firm Verkada.

Cyber insecurity

Hackers penetrated LAUSD computers much earlier than previously known, district probe finds (Los Angeles Times)

Riot Games hacked, delays game patches after security breach (Bleeping Computer)

A hack at ODIN Intelligence exposes a huge trove of police raid files (TechCrunch)

Government scan

Majority of GAO's cyber recommendations since 2010 have gone unresolved (NextGov)

On the move

  • Jack Cable and Lauren Zabierek have joined the Cybersecurity and Infrastructure Security Agency as senior technical adviser and senior policy adviser.

Daybook

  • CIA deputy director for analysis Linda Weissgold speaks at an event hosted by the Intelligence and National Security Alliance on Tuesday at 9 a.m.

Secure log off

Thanks for reading. See you tomorrow.