CISA Issues Warning About North Korea Hacking Health Care Facilities To Fund Other Cyberattacks

Yesterday, the CISA released a waring that North Korean government-backed hackers have conducted ransomware attacks on health care providers and other key sectors in the US and South Korea. Then they used the proceeds to fund further cyberattacks:

This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.

The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments— specific targets include Department of Defense Information Networks and Defense Industrial Base member networks. The IOCs in this product should be useful to sectors previously targeted by DPRK cyber operations (e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.

Sanjay Raja, VP, Product Marketing and Solutions at Gurucul had this comment:

“Healthcare institutions have already been a target for threat actor groups as they know they have constrained resources and budgets and maintain a wealth of personal and financial information on patients, and disruption can be catastrophic. North Korea’s use of common attacks indicates that these hospitals have neither managed to patch vulnerabilities nor have implemented monitoring solutions with a strong set of threat models to detect these common attacks. North Korean threat actor groups may have also developed variants that can evade solutions, like traditional SIEMs or XDR, that fail to implement trained machine learning in their analytical models that can adapt to new and unknown attack variants.

“Constrained security teams need solutions that focus on leveraging a unified set of advanced analytics, including those that can provide an early warning to known variants of attacks through behavioral analytics, such as UEBA. Identity analytics is also critical for security teams to leverage as stolen credentials is a common method of compromising healthcare systems. These two capabilities along with more traditional endpoint, network and cloud threat detection can help these hospitals with accelerating detection and eliminating manual tasks that burden security teams and waste time.”

Lovely. This is just the latest warning about North Korea and their hacking activities. Which means that given how prolific they are at hacking all the things, you should be paying attention to this and make adjustments to protect yourself.

UPDATE: Matt Marsden, VP, Technical Account Management at Tanium added this comment:

It is not surprising to see North Korean state actors using techniques generally attributed to cybercrime and ransomware gangs. We’ve seen that North Korea will seek to use whatever methods possible to fund weapons and cyber programs.  This activity demonstrates the significance of shifting the focus of cybersecurity from traditional compliance to active defense.

A threat-informed approach to defense requires agility, comprehensive visibility, and control to properly assess the effectiveness of controls against attacks. In contrast, compliance programs seek to measure the implementation of static controls against an established baseline, which values consistency and static configuration. Attackers are creative and seek to exploit misconfigurations to identify gaps in a secure host baseline. They have the advantage of time and scale; and only need to be right once. On the flipside, defenders must be right every time and suffer the disadvantage of trying to predict their adversaries’ next move.

Cyber defenders need comprehensive awareness, and absolute control of what is happening in their environments; blind spots are unacceptable. Employing an active defense approach is critical, including protecting against known threats, scanning for indicators of compromise, performing real-time hunt activities, and preparing a response.

It is no longer a question of “will there be an attack” but “when will I be attacked?” With this sobering thought in mind, it is imperative to quickly identify the compromise, scope the incident, implement changes to stop the attacker and prevent lateral movement, and finally, quickly remediate at scale. 

Leave a Reply

%d bloggers like this: