UPDATE July 17, 2020: Representatives of the U.S., British and Canadian governments reported yesterday that Russian hackers affiliated with known hacking group APT29 (or “Cozy Bear”) are targeting attacks on health care organizations researching COVID-19 vaccines. Cozy Bear, previously involved in the 2016 hacking of the Democratic National Committee, has reportedly been using spear-phishing and malware in an effort to steal the research. This announcement comes on the heels of a spate of attacks against research universities and health care organizations in recent months, described below.”
While the pandemic has brought economic downturn to many industries, a recent uptick in data security breaches suggests business is booming for cybercriminals. Universities and health care institutions dealing with the coronavirus have been particularly targeted by hackers attempting to exploit the current climate of confusion, urgency, and stress. In this post, we discuss the attacks and provide steps organizations can take to prevent and respond to breaches.
Research for Ransom
The University of California, San Francisco (UCSF) is the latest known victim of a ransomware attack targeted at research institutions. On June 1, UCSF discovered malware that had allowed hackers to steal certain School of Medicine data and encrypt a number of its servers. At the end of June, UCSF reportedly paid $1.14 million to the hackers to unlock and recover the data. University officials stated paying the ransom was necessary because the data was important to its academic work and the public good. The University has been leading important coronavirus research.
Known hacking group “NetWalker” claimed responsibility for the UCSF breach, and for breaches at two other universities involved in coronavirus research: Michigan State University and Columbia College of Chicago. In each case, NetWalker threatened to publicly release the data stolen if the ransom was not paid. Michigan State chose not to pay, in an attempt to discourage attackers from targeting future victims, and data was released on the dark web.
Universities are not alone in being targeted. In April, Microsoft announced that it had alerted several dozens of hospitals it identified as especially vulnerable to ransomware attacks due to weaknesses in their infrastructure. Interpol issued a similar warning to hospitals and sent a “purple notice” to its 194 member countries regarding the threat of ransomware attacks.
Universities and hospitals are uniquely susceptible to attack because of the essential services they are providing to combat the coronavirus and the collaborative nature of medical research. University-led research into treatments and testing is highly valuable and urgently needed, making a ransom payment for its safe return a sometimes necessary choice. Regardless of a ransom payout, hackers could hold valuable research hostage and sell it to the highest bidder. Hospitals, already overburdened with treating COVID-19 cases and limited resources, may understandably choose to pay a ransom rather than lose access to data necessary to provide services and care.
One way that the NetWalker ransomware infiltrates organizations is via attachments to phishing emails. Such emails increasingly reference the coronavirus, garnering clicks by exploiting people’s fears and stress about the pandemic. Other attacks take advantage of infrastructure vulnerabilities (like gateway and VPN weaknesses) to install ransomware, and may go undetected as IT staff members are distracted by pandemic-related challenges, such as managing remote work set-up.
In order to strengthen defenses and prevent attacks, organizations should:
- Remind employees to be vigilant and report suspicious e-mails, particularly from unknown senders or that purportedly contain COVID-19 information, before clicking links, opening attachments or providing information;
- Ensure that all available security updates are applied for VPN and firewall configurations;
- Implement and enforce strong password policies, multifactor authentication and encryption where possible;
- Increase network monitoring and audit activity logging for timely detection of suspicious and unauthorized activity;
- Regularly back up sensitive and operationally critical data.
Additionally, all organizations should establish an incident response plan to effectively respond to suspected or actual compromise.
Breach Response and Legal Considerations
Even with strong security measures in place, an attack is still possible. Responding to incidents requires the coordination of specialists from diverse disciplines, including internal IT and Legal departments, outside forensic experts and legal counsel, and law enforcement. All organizations should identify these stakeholders as early as possible in order to swiftly respond to any potential incident.
In the event of an actual breach, notification to affected individuals and/or regulators may be required under state, federal and foreign law:
- Every U.S. state requires organizations to notify individuals of certain breaches exposing personal information. Notice to state regulators may also be required.
- Universities and hospitals dealing with the coronavirus likely have additional notification obligations under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires notice to individuals and the Department of Health and Human Services of certain breaches involving personal health information
- Institutions, including universities, that handle personal information belonging to EU residents may be required to report a data breach to the relevant supervisory authority within 72 hours under the EU General Data Protection Regulation (GDPR).