Ransomware, Breach, Vulnerability Management

Who was behind Change Healthcare breach: LockBit or ALPHV/BlackCat

View of a Pharmacy medical icon on a futuristic interface

[EDITOR'S NOTE: A reference in a previous version of this article citing undisclosed and unconfirmed research that implicated a technology firm as an attack vector for the Change Healthcare incident has been removed. SC Media strives for accuracy and reporting transparency and regrets when it fall short of that goal. 5/13/2024]

There are significant updates to SC Media’s report on Feb. 23 that a recent breach of Change Healthcare that disrupted pharmacies nationwide.

Yelisey Bohuslavskiy, co-founder of RedSense and Advintel, posted on LinkedIn that RedSense was able to identify, map and structure exfiltration-related telemetry for the timeline associated with the Change Healthcare attack, as well as the timeline prior to it.

However, Bohuslavskiy, said the telemetry analysis did not identify adversarial activity associated with LockBit’s infrastructure, be it the ransomware gang's core C2s, proxies or affiliate C2s.

While RedSense said it does not contradict the alleged deployment of LockBit's locker against Change Healthcare, which has been widely speculated, the exfiltration pattern contradicted typical recent LockBit exfiltration tactics, techniques, and procedures (TTPs), suggesting that the actor was most likely not a LockBit affiliate.

Indeed, it was widely reported over the last 24 hours that the ALPHV/BlackCat ransomware group was responsible for the Change Healthcare cyberattack.

The Health-ISAC noted the RedSense research in a recent bulletin, but said it's not possible to confirm attack details because the incident is still under investigation.

Toby Gouker, chief security officer at First Health Advisory, explained that during the early phases of an attack, these ransomware cases all lookalike. It’s only as the forensics process unfolds, and researchers discover their method of deployment and their specific payloads.

“While the current speculation is that ALPHV/BlackCat is indeed the actor, it could take weeks to actually confirm,” said Gouker. “In some cases, attribution is never able to be confirmed. Malicious actors share toolsets and methodologies and practice the art of obfuscation."

In terms of greater security industry perspective, Sarah Jones, cyber threat intelligence research analyst at Critical Start, said the tactics and techniques observed in the breach align with known methods used by threat actors other than LockBit.

“While we cannot definitively confirm the link at this time, Optum's engagement of Mandiant, a leading incident response firm renowned for investigating sophisticated cyberattacks, suggests the severity and complexity of the breach,” said Jones. "It's worth noting that while the exact ransomware strain remains uncertain (LockBit vs.ALPHV/BlackCat), this ambiguity is typical in the early stages of incident response.”

UPDATE [Editor's Note: Months after this initial report (on April 30, 2024) UnitedHealth Group CEO Andrew Witty released a statement to Congress stating that threat actors used compromised credentials to remotely access a Change Healthcare Citrix portal — a portal that lacked multifactor authentication (MFA), a basic tenet of cybersecurity. Read statement here (PDF).] - 5/13/2024

Optum response to Change Healthcare cyber incident

For its part, Optum which heads up the UnitedHealth division that includes Change Healthcare, wrote in a Feb. 27 email to SC Media that since identifying the cyber incident, it has worked closely with customers and clients to ensure people have access to the medications and the care they need. Optum also said it continues to work closely with law enforcement and a number of third parties, including Mandiant and Palo Alto Networks, on the attack against Change Healthcare’s systems.

“We appreciate the partnership and hard work of all of our relevant stakeholders to ensure providers and pharmacists have effective workarounds to serve their patients as systems are restored to normal,” Optum told SC Media. “As we remediate, the most impacted partners are those who have disconnected from our systems and/or have not chosen to execute workarounds.”

Here are some highlights Optum wanted to point out to readers, mostly messages to pharmacy customers that are not security-related:

  • The company estimates more than 90% of the nation’s 70,000-plus pharmacies have modified electronic claim processing to mitigate impacts from the Change Healthcare cybersecurity issue; the remainder have offline processing workarounds. 
  • Optum Rx and UnitedHealthcare are seeing minimal reports, including less than 100 out of more than 65 million Pharmacy Benefit Manager (PBM) members not being able to get their prescriptions. Those patients have been immediately escalated and we have no reports of continuity of care issues.
  • Optum understands the impact this issue has had on claims for payers and providers. Any delays to claims processing have yet to impact provider cash flows as payers typically pay one to two weeks after processing. As Optum works on bringing systems back online, we are also developing solutions to that challenge if needed. 
  • Hospitals, health systems and providers have connections to multiple clearinghouses and access to manual workarounds. 

SC Media reached out to Mandiant, which said it could not comment on the matter since the Change Healthcare case was still under investigation.

[EDITOR'S NOTE: A reference in a previous version of this article citing undisclosed and unconfirmed research that implicated a technology firm as an attack vector for the Change Healthcare incident has been removed. SC Media strives for accuracy and reporting transparency and regrets when it fall short of that goal. 5/13/2024]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.