Ransomware, Threat Management, Threat Management

North Korea using healthcare ransomware attacks to fund further cybercrime, feds say

North Korean flag

North Korean state-sponsored threat actors are continuing to target the healthcare sector in force with Maui and H0lyGh0st ransomware, using the revenue gained from ransom demands to support national priorities, including cyber operations targeting the U.S. and South Korea for espionage purposes.

The joint alert from the Cybersecurity and Infrastructure Security Agency, FBI, National Security Agency, Department of Health and Human Services, the Republic of Korea National Intelligence Service, and the ROK Defense Security Agency is an update to a July 2020 advisory.

Health and public health entities are encouraged to use the IOCs listed in the report in the alert to understand the current tactics.

The advisory joins several other warnings about ongoing nation-state attacks, including two DDoS attack methods and a Lazarus Group campaign targeting unpatched Zimbra devices.

Industry stakeholders have grown increasingly worried about the spate of ongoing attacks and the potential impact to lower-resourced organizations and possible patient safety risks. Currently, two U.S. hospitals and one based in Canada are operating under network downtime after falling victim to cyber-related incidents — one of which has been attributed to ransomware.

The ongoing attacks tied to the Democratic People's Republic of Korea (DPRK) are targeting health and other critical infrastructure organizations, using cryptocurrency to demand ransoms to fund the specific targeting of the Department of Defense Information Networks and Defense Industrial Base member networks.

The ongoing campaign leverages typical ransomware tactics, but the actors have also been observed “acquiring and purchasing infrastructure” to conceal their connection to DPRK.

“The actors generate domains, personas, and accounts and identify cryptocurrency services to conduct their ransomware operations,” according to the alert. The infrastructure, IP addresses, and domains are purchased with cryptocurrency obtained through cybercrime, such as ransomware and cryptocurrency theft.

Further, the actors hide their affiliation by working with third-party foreign affiliate identities, as well as other foreign intermediaries to receive ransom payments, or the use of virtual private networks, virtual private servers, and third-country IP addresses “to appear to be from innocuous locations instead of from DPRK.”

These actors have also used publicly available tools in their attacks, including BitLocker, Deadbolt, Hidden Tear, Jigsaw, LockBit 2.0, NxRansomware, and Ryuk, among others. And “in some cases, DPRK actors have portrayed themselves as other ransomware groups.”

The threat actors target and exploit common vulnerabilities to gain access and escalate privileges on networks. The alert shows Apache Log4j software library, or Log4Shell, and remote code execution flaws in unpatched SonicWall appliances are the most recent CVEs targeted by these actors.

It’s also likely the actors are “spreading malicious code through trojanized files for 'X-Popup,' an open source messenger commonly used by employees of small and medium hospitals in South Korea,” officials warn. The alert contains IOCs for reference.

Upon exploit, staged payloads with customized malware are used for reconnaissance activities, as well as to install additional files and executables and execute shell commands. The malware is also used to collect data from victims’ networks, sending it to a hacker-controlled remote host.

The alert also warns that these “actors may threaten to expose a company’s proprietary data to competitors if ransoms are not paid.” But federal officials “highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.”

Organizations are urged to verify that their networks authenticate and encrypt connections to limit unauthorized access to data, such as the use of public key infrastructure certificates for VPNs and TLS connections — particularly with IoT, medical devices, and electronic health record systems.

“Weak or unnecessary network device management interfaces, such as Telnet, SSH, Winbox,” should be turned off and HTTP should be used for Wans secured with strong passwords and encryption, according to the alert. Stored data should use permanent account number masking and render “it unreadable when stored — through cryptography, for example.”The alert contains a host of technical specs for identifying an ongoing threat or to protect against compromise.

In light of the ongoing target of healthcare organizations, security and IT teams should prioritize remediation efforts. Just last month, actors successfully hacked two federal civilian executive branch networks with malicious typo-squatting activity for likely espionage.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.