TLP White: This week, Hacking Healthcare begins by exploring the initial fallout from the recent SolarWinds Orion hack. We specifically look to evaluate what happened, what the hack accomplished, and what healthcare organizations may wish to do to secure themselves in its wake. Then, yet another healthcare agency with connections to COVID-19 has been targeted by malicious threat actors, and we dive into the still evolving story of the European Medicines Agency (EMA) attack.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Authors Note:

2020 has been quite the year. Everyone one of us has faced challenges both personally and professionally on more than one front, and those are on top of the normal hurdles we all must jump every day and every year. The pandemic, the US election, increases in ransomware, the latest SolarWinds Orion incident, and others that have already faded into memory, have combined to make 2020 a year unlike any we have seen in some time. Cancelled trips, conferences, family get togethers, dinner out with friends, and the loss of countless other events have only made our experience that much harder.

As we look to close it out, both glad to see to it go while remaining acutely aware of the road ahead of us, we here at Hacking Healthcare want to say how much we appreciate your continued support. Every week we try to bring meaningful awareness and insight in a way that is approachable to a wide audience and we hope that you have found it helpful to you on more than one occasion.

We wish you all the best throughout the remainder of the year and look forward to continuing this journey with you in 2021. And, with the continued hard work of so many and maybe a little luck, we hope to see you in person, somewhere, sometime.

 

Welcome to Hacking Healthcare, “so long 2020, see you in 2021” edition.

 

1. SolarWinds Orion

As you are all no doubt aware, globally known cybersecurity firm FireEye announced in a blogpost recently that it had been targeted by “a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead [FireEye] to believe it was a state-sponsored attack.” The author of the blogpost, FireEye Chief Executive Officer and Board Director Kevin Mandia, described the malicious actors behind the attack as “[operating] clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
FireEye’s announcement was concerning as they are a well-regarded organization dedicated to improving cybersecurity capabilities and have extensive experience dealing with small time cybercriminal campaigns and tier one state sponsored operations alike. What has unfolded in the days since FireEye’s announcement has left many in the cyber security field appropriately concerned, and very busy.

As we came to find out, FireEye was just one victim of what appears to be one of the most significant large-scale cyber operations ever. Believed to be the handiwork of the Russian state, it is now known that numerous U.S. government agencies, including the State Department, the Department of Homeland Security and parts of the Pentagon, have all been breached. The full extent of the operation may not be known for some time, but the list of potentially compromised government agencies and private sector organizations is vast and not limited to the U.S. FireEye has since reported affected organizations globally across numerous sectors.
How did this Happen?

There are many in-depth pieces on the technical aspects of the attack, so we will not look to rehash that in detail here. However, in general, it appears that “about 18,000 private and government users downloaded a Russian tainted software update… that gave its hackers a foothold into victims’ systems.” The software in question, SolarWinds Orion, is described as a scalable IT monitoring solution and it enjoys broad adoption within the U.S. government, as well as many customers across the private sector. FireEye has since published evidence that suggests that this operation had been in action as early as March of this year.
What did it Accomplish?

What first appeared to be limited to the theft of FireEye Red Team assessment tools, has evolved into what looks to be one of the most significant cyber-espionage operations ever. While the initial Reuters report stated that the perpetrators would have been able to monitor email traffic at some U.S. government agencies, the full extent of what information they were able to gather may never be fully understood.
Action & Analysis
*H-ISAC Membership Required*

2. European Medicines Agency Hit by a Cyberattack

As we covered previously, cyber threat actors have shown significant interest in healthcare organizations that have a role in the research, development, and distribution of the COVID-19 vaccines. On Wednesday, December 9, 2020, this point was reemphasized when the European Medicines Agency (EMA) released a short statement that read “EMA has been the subject of a cyberattack. The Agency has swiftly launched a full investigation, in close cooperation with law enforcement and other relevant entities.” This vague statement, accompanied by the note that “EMA cannot provide additional details whilst the investigation is ongoing,” provided little clarity.

It wasn’t until follow on updates that the situation was made clearer. Later that same day, Pfizer and BioNTech, two organizations that had worked on one of the COVID-19 vaccines, released a longer joint statement that summarized what happened. Their statement detailed how documents on an EMA server that related to the regulatory submission of their vaccine candidate had been unlawfully accessed. Additionally, they stated that they were “unaware that any study participants have been identified through the data being accessed.”

Both Pfizer and BioNTech declared that their own systems had not been breached, and EMA declared in an update on the 11th that they “[remain] fully functional and its timelines related to the evaluation and approval of COVID-19 vaccines and treatments are not affected.” Further details have yet to be made available, but there is no shortage of potential perpetrators. As has been previously reported, “hackers linked to China, Iran, North Korea, Russia and Vietnam have been accused of trying to steal information about the virus and its potential treatments.”
Action & Analysis
*H-ISAC Membership Required*

 

Congress –

Tuesday, December 15th:
– No relevant hearings

Wednesday, December 16th:
– No relevant hearings

Thursday, December 17th:
– No relevant hearings

International Hearings/Meetings –
– No relevant hearings

 

EU –

– No relevant hearings

 

Sundries –

US investigates suspected cyber-espionage campaign against government agencies dating back months

US investigates suspected cyber-espionage campaign against government agencies dating back months

Facebook says it disrupted cyber-espionage in Vietnam, Bangladesh

Facebook says it disrupted cyber-espionage in Vietnam, Bangladesh

Contact us: follow @HealthISAC, and email at contact@h-isac.org

Translate »