The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Showing posts with label North Korea. Show all posts
Showing posts with label North Korea. Show all posts

Nation State Cyber Thieves Target Healthcare Research and Patient Data


State sponsored cyberattacks against Healthcare and the wide scale theft of PHI, PII and IP are increasing, putting the whole sector at increased risk a new report claims.

Not Petya (Nyetya), WannaCry, Stuxnet, Sony Pictures, Yahoo, US Office of Personnel Management (OPM), SingHealth, and Anthem breaches are all recent examples of nation state attacks. Some are indiscriminate, some target other nation states, and some are focused towards intelligence gathering of mass or targeted individuals. Some are thinly disguised criminal theft of intellectual property and trade secrets, or monetary theft and extortion to supplement what hackers get get paid by their government puppet-masters for 'official business'. They all have one thing in common, a well-funded and well-trained team of cyber warriors with the patience of saints, and the tenacity to get the job done. These are the advanced persistent threats (APTs) that mark a nation state adversary. They are usually stealthy and stay hidden till the last moment, or go unnoticed entirely as Yahoo eventually discovered after a subsequent attack.

Although WannaCry took out a large number of healthcare systems around the world including a significant number of UK NHS hospitals and healthcare trusts, it was by and large a broadcast extortion attack to generate money for the highly sanctioned government of North Korea (DPRK). The SingHealth and Anthem breaches were however highly targeted at healthcare institutions, and these are just the tip of the iceberg. Like the OPM breach, these attacks are thought to have originated from Peoples Republic of China (PRC).

Chinese fingerprints are all over many recent healthcare attacks.



A recent report by FireEye has indicated that state-sponsored attackers from the PRC have for some time been targeting medical data from the healthcare industry. This includes not only PII, PHI and in some cases even the prescription information of patients, but a broader focus upon the theft of academic and clinical research, drug and clinical trial data, research studies, formulary and procedural data, as well as plans for medical devices. Pharmaceutical companies, universities, hospitals and biotech / biomedical engineering companies have all been targeted according to FireEye’s “Beyond Compliance: Cyber Threats and Healthcare report”. In particular there has been a strong focus on the theft of research data into cancer treatments and artificial intelligence, both of which are top priorities for Chinese manufacturers the report adds.

FireEye has seen a “prevalence of multiple Chinese groups over the last several years, and continuing in what we see today, targeting medical researchers in particular," says Luke McNamara, a principle analyst at FireEye who worked on the research. The company says the Chinese-linked APT41, APT22, APT10 and APT18 have all been seen trying to obtain medical data in recent years. Additionally a group linked to Vietnam (APT32) and a group linked to Russia (APT28) also dabble in healthcare, the latter of which has so far targeted sports medicine providers responsible for ant-doping tests of Russian athletes.

Targeting medical research and data from studies may enable Chinese corporations to [patent and] bring new drugs to market faster than Western competitors,” FireEye said. The country’s ‘Made in China 2025’ campaign intends to replace all imports from multi-nationals with locally produced products.

In particular, the report added, China has exhibited a “growing concern over increasing cancer treatment and mortality rates, and the accompanying national health care costs.” With massive levels of ground and water pollution in China that has poisoned the food supply with dangerous levels of cancer-causing heavy metals, and air pollution which in some cities is hundreds or thousands of times WHO safety limits, it’s no wonder that the costs of treating cancer is such a growing concern for a country which plans to have universal healthcare coverage for all of its 1.5bn citizens by 2025.

If things weren't bad enough already for hospitals and health systems outside of China, then they just got a whole lot worse!

Photo: Markus Spiske.


Nation State Attacks
Nation state sponsored cyberattacks have been on a sharp rise over recent years with North Korean attacks against Sony Pictures in 2014 in retribution for its movie “The Interview”, followed by the ‘WannaCry’ ransomware attacks of 2017, thought to have been designed to generate foreign currency for the hermit kingdom. Also of grave public concern, were Iran’s DDOS attacks against the US banking sector between 2011 and 2013 and an attempted hijacking of the Bowman Ave. Dam in New York, thought to be in retaliation for the US Stuxnet attack against Iranian uranium enrichment centrifuges.

Russia too has been a major perpetrator in more direct cyber-warfare attacks going back as far as the first Chechnya War in 1996, to literally hundreds of attacks against its neighbors - from the cyber attack against the Turkish-Georgian-Kazakh BTC oil pipeline in 2008, to the most recent attack against the Ukrainian power grid. However, it is the ‘Not Petya’ wiperware attacks of 2017 attributed to the Russian GRU that currently takes the prize as being the most destructive and most expensive cyberattack in history. Not Patya targeted companies doing business with Ukraine and resulted in approximately $8bn in damages to multi-nationals from all over the world. Not Petya destroyed tens of thousands of computer systems and shut down hundreds of companies, including some in Russia. Not only did the GRU open Pandora's box but they accidentally let Pandora out to run amok! Russia is also responsible, via a network of proxy groups who engage in simple criminal theft, for many attacks against retail merchants and financial institutions, and of course for the Yahoo breach of a billion users – the largest attack to date.

But it is the People Republic of China’s insatiable appetite for the theft of commercial intellectual property and trade secrets, combined with its wholesale theft of PII and PHI that is most notorious when it comes to nation state cyberattacks. The OPM breach of 21.5 million federal employee records between 2013 and 2014, and the 2015 Anthem Health breach that resulted in the theft of PII of 79 million people – healthcare’s largest, are typical of PRC attacks. While cyber espionage against military-defense secrets appears to be common across all states today, what differentiates China is its cyberespionage activities that plainly target non-military-defense commercial organizations and research universities. In China everything of significance is owned by or beholden to the state, and after 70 years of communism and isolationism, the peoples republic has had a long way to catch up with the rest of the world. It is not only China's intention to catch up, but also to surpass the rest of the world by whatever means are necessary. In China, that ambition is abbreviated as 赶超 or ganchao in Chinese. What's more, China fully intends to surpass the west within the next five years under the central government’s ‘Made in China 2025’ initiative. Unfortunately, given the tight schedule, that may involve the theft of ideas and trade secrets from nearly every major company on the planet.

This blog was originally published here

When Cyber Attacks Go Too Far





News today that Israel has responded to a cyber-attack with a kinetic reply is perhaps a first but, in many ways, to be expected, given a rising tide of global cyber-attacks by those who cause increasing levels of damage, yet hide from attribution by use of proxies or through assumed anonymity.

According to Forbes:

The escalating global threat of cyber-attacks against nation-states took a turn yesterday when Israel's military announced that it had "thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work….HamasCyberHQ.exe has been removed," the tweet concluded.

Now that the precedent has been set, it should serve as a very real warning to cyber criminals everywhere that just because they reside in a state that turns a blind eye to international lawlessness, they are not immune from being brought to justice.

This may not be the first kinetic response to an act of cyber warfare but its certainly the first one mass-publicized. The US has reserved the right to retaliate against cyber-attacks with military force since 2011, and in 2015 it launched a hellfire missile attack from a drone to assassinate British born Islamic state hacker Junaid Hussain as he walked down a street in Raffa, Syria.

Many people have been expecting a kinetic response to a cyber attack for some time and talking about the advent of hybrid warfare, but can either of these bombings be seen as the turning point?

The fact is that Hamas had recently launched over 600 missiles at Israel and Israel had conducted over 250 air strikes of Hamas targets in retaliation. In the case of Junaid Hussain, he was known to be actively planning terrorist attacks in the west. Both were thus legitimate targets in existing kinetic conflicts, and both appear to satisfy the UN Charter for 'National Collective Self Defense'. But will this latest attack be used to justify a kinetic response to a future cyber attack or the perceived threat of one by a credible adversary? Maybe!

The Israeli Defense Forces (IDF) certainly considered the threat real enough by Hamas hackers planning an attack on Israel to warrant dropping a very large bomb on top of their building, reportedly with them in it!

Iran should certainly watch its back, where we are told, there has been a steady escalation in threats against the United States over recent months. The recently announced positioning of the USS Abraham Lincoln Strike Group to the Persian Gulf together with a Bomber Strike Group may be seen as a strong warning to Tehran. It may also be considered as positioning for future retaliatory kinetic attacks for recent wave of cyber and other attacks against the United States. This may mark the return of more aggressive US policies against terrorists and others who attack the west with assumed impunity. Just as Reagan’s bombing of Libya in 1986 signified a line drawn in the sand for Qaddafi’s support of terrorism against United States citizens, with hawks like John Bolton and Mike Pompeo advising Trump things could escalate very quickly.

But Iran is not alone on the 'Bad Boy' list of cyber-attacks going too far. According to the Center for Strategic and International Studies most of the world’s cyber-crime is originated in four countries – the Peoples Republic of China, the Russian Federation, the Islamic Republic of Iran and the Democratic People's Republic of (north) Korea, as the chart below shows:









Russia has been using cyberwarfare arguably against its own people since the first Chechen war, but in 2008 the Russia military is attributed to blowing up the Turkish Baku-Tbilisi-Ceyhan (BTC) oil pipeline at Refahiye in eastern Turkey after hacking CCTV cameras to gain access to pipeline valves that were then used to super-pressurize the line until it blew up. The BTC pipeline, which links Baku in Azerbaijan to Ceyhan on the Mediterranean coast of Turkey, gives additional energy independence to oil-rich states on Russia's southern border at a time when Russia is seeking to reassert its control over former Soviet states.

In 2014 a massive cyber attack was launched against Sony Pictures Entertainment that involved the theft and release or destruction of a huge amount of data. It was the first destructive cyber attack conducted against the United States and the first time the US attributed a cyber attack to a foreign government. The attack was claimed by 'Guardians of Peace' and was eventually attributed to North Korea to a group of hackers known as 'Shadow Brokers'.

The 2017 'WannaCry' ransomware attack that brought down hundreds of organizations worldwide including the effective closure of a large number of British hospitals and other critical facilities, has also been attributed to the Shadow Brokers, an outfit that works in the PRC and PDK for the Kim regime of North Korea. According to an Op-Ed in the Wall Street Journal, Tom Bossert, then Homeland Security Advisor to President Donald Trump, firmly attributed the attacks to Kim Jong-Un who gave the order to launch the malware attack, he claimed. "We do not make this allegation lightly. It is based on evidence." Bossert stated. Canada, New Zealand, Japan, and the UK all independently agreed with the US attribution.

Right on the heals of WannaCry, the 'Not Petya' attacks of June 2017 were an act of cyber warfare instigated by the Russian GRU (ГРУ), according to a CIA analysis of the attack reported by the Washington Post. Not Petya or Nyetya as it is also known as, was disguised as a new variant of ransomware, but with no way to recover information or the hard drives storing the data, it destroyed millions of dollars of computer equipment and cost businesses the world-over, somewhere between $4bn and $8bn according to Wired at the time, but now widely regarded to be closer to $12bn. Not Petya thus became known as a broadcast 'wiperware" and as a cyber weapon by many.

According to the CIA, Russia's GRU created NotPetya, as an escalation of its existing kinetic and cyber war against Ukraine ongoing since popular revolution there ousted the pro-Russain former Ukrainian President and CCCP Communist Party Member Viktor Yanukovych. The attack which initially targeted Ukrainian accounting tax software company M.E.Doc, brought down virtually all of Ukraine’s government along with Ukrainian hospitals, power companies, airports, and banks. Since then there has been a steady stream of cyber attacks directed by Moscow against Ukrainian critical infrastructure and power utilities knocking them off-line, constant attacks against Ukrainian businesses, and various kinetic attacks including the military occupation and annexation of Crimea, the instigation of Russian nationalism, ethnic unrest and military support of separatists in Eastern Ukraine. This direct support culminated in the July 2014 destruction of an airliner and deaths of all 285 passengers and 15 crew aboard as MH17 as it flew between Amsterdam and Kuala Lumpur when it was hit by a Russian surface to air missile.

The impact of Not Petya spread far beyond the borders of Ukraine and caused massive damage across the world. First investigated by the Ukrainian security agency, known as the SBU, it was quickly attributed to Russian security services, a fact reflected in other countries subsequent investigations into the cyber attack including all of the Five Eyes nations of the United States, UK, Canada, Australia and New Zealand. This was reflected by a White House statement issued February 15, 2018:

"In June 2017, the Russian military launched the most destructive and costly cyberattack in history, NotPetya "quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine, and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences."

Putin's Russia has continued to push the boundaries of acceptability with each new attack from the hacking of the US Democratic Party and former US Secretary of State and presidential candidate Hillary Clinton, to influencing of the US and German presidential elections and the Brexit referendum via its social media bots, to literally hundreds of attacks against think tanks and NGOs according to Microsoft, most of which have been attributed to a group called 'Strontium' - otherwise known as 'Fancy Bear' or 'APT28'.

Meanwhile in the east, The Peoples' Republic of China has kept up a relentless attack against businesses the world over, in its quest to steal the intellectual property and commercial business secrets of the leading global companies. Despite agreements between US and Chinese presidents in 2015, to stop the wholesale cyber-theft of intellectual property, the attacks continue as China tries to surpass the rest of the world with its home-grown companies, using stolen patents and trade secrets invented by others.

The big question is, "how far is too far"? At what point does it become necessary to send a loud and clear message that cyber-attacks will be met with real consequences? Israel certainly deemed it necessary to deal with a group in Hamas that was responsible for cyber attacks against its country and citizens.

Countries may not readily invade one another today as they once did in the nineteenth and twentieth centuries leading to major global conflicts and massive loss of life. That is, perhaps with the recent exception of China's building of military islands off the coast of the Philippines and Vietnam in international waters - an apparent land grab of most of the South China Sea. But we know from history, that if you don't stand up to a bully at least once, then the bullying will continue. Hitler's military occupation of the Rhineland in 1936 is perhaps a good example of what happens when you ignore a problem for too long.

Sometimes we forget that cyber warfare is after all just another form of warfare!

Now that the precedent has been set, those involved in cyber espionage, wholesale theft of IP, extortion, and cyber attacks against businesses and critical infrastructure of countries might want to consider a new profession, or be on the lookout for things falling from the sky!