TH RE AT B RI EF

Healthcare Sector Threat Brief

Over the past several years, cybersecurity attacks targeting the

healthcare industry have continued on an upward arc. These attacks
are occurring alongside two worrying trends. This Heathcare Sector
Threat Brief explores them in detail.

May 2021
 TA B LE O F CO NTENTS

E xe cu t i ve Su mmary . . . . . . . . . . . . . . . . . . . . . ................................. 3

Ad ve rs a r y/Actor Prof ile s . . . . . . . . . . . . ................................. 4

State - s p o n s o red or St ate-af f i l i ated APTs ................... 4

Cyb e r- Cr i mi nal Groups . . . . . . . . . . . . . . .................................. 4
Ha c kt i v i s t s and Ideol ogi c al l y Motivated Hackers ........ 5

To p He a l t h ca re Se c tor Thre ats an d Attacks ................. 5

Ris k s a n d Vul nerabi l i t i es . . . . . . . . . . . . ................................. 6

Em e rg i n g Threat s : Inter n et of Medical Things ........... 7

Co n cl u s i on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .................................. 8

L e a r n m o r e a b o ut t he sol ut ions LookingGl ass

pr o v i d e s by sc he dul ing a de m o.

Request a Demo

© 2019 LookingGlass Cyber Solutions, Inc. All rights reserved.

T H R E AT B R I E F

E XECUTIV E S U M M A RY
Over the past several years, cybersecurity attacks targeting the healthcare industry have continued on an
upward arc. These attacks are occurring alongside two worrying trends. First, the attack surface has expanded
with electronic health records and more use of connected medical devices (e.g., the Internet of Medical
Things, or IoMT). Secondly, adversaries have recognized the potential of exploiting older software tied to
operational health technology that can be difficult to patch for vulnerabilities, such as compromising an X-ray
or MRI machine.

In 2020, reports indicated that cyber-attacks on the healthcare industry more than doubled from 2019, with
ransomware accounting for 28 percent of all attacks. While previous healthcare sector cyber-attacks focused
primarily on providers, from large hospital systems to smaller private practices, the COVID-19 pandemic
exposed vulnerabilities in the entire healthcare sector. Attackers, especially financial cyber criminals, targeted
organizations involved in COVID-19 response, such as bio-pharmaceutical companies, university-based

The purpose of this Threat Brief is to provide an overview of threats LookingGlass has observed from our
external attack surface management solution and from regular open-source research and intelligence to
support our customers. Healthcare sector organizations can use this Threat Brief to understand adversary/
actor profiles, motivations/objectives, and types of threats and tactics used by adversaries targeting the
sector as a whole.

At LookingGlass, we have monitored the healthcare sector since 2009. We believe that understanding
one’s cyber vulnerabilities, threats, and threat actors are critical to obtaining a more accurate view of one’s
risk exposure. This holistic perspective is necessary for developing incident response plans, implementing
mitigations, refactoring compensating controls, and informing adversary management strategies.

PAGE 3
 T H R E AT B R I E F

ADVERSARY/ACTOR PROF ILES

HEALTHCA R E
Threat actors targeting the healthcare sector are diverse:
TARGE T E D
R ANSO MWA RE State-sponsored or state-affiliated Advanced Persistent Threat actors
ATTACKS (APTs)
These actors are often given names (e.g., Fancy Bear) or numbered
Below is a list of ransomware attacks that names (e.g., Fancy Bear is also known as APT 28). These names are
have targeted healthcare organizations in designated by cybersecurity groups, and many names exist for the
the past and will likely continue to do so: same group. LookingGlass and other organizations have observed
attacks on healthcare sector organizations connected to known-APT
REvil: AKA Sodinokibi, previously groups from states such as Russia, Iran, China, and North Korea.
associated with the Zeppelin ransomware
gang1. REvil was used to compromise
For the healthcare sector in 2020, cyber-attacks on pharmaceutical
Beacon Health Solutions2, where the
attacker was able to exfiltrate 600GB companies grew significantly, and most were attributed to this
of company information, personal data, actor profile. APTs can give an edge to in-country, local competitors
financial documents, client Social Security against their foreign competitors. By obtaining the intellectual
Numbers (SSNs), bank documents, and property of expensive research and development projects from
phone records. competing nations, countries can drastically accelerate their
economies. In fact, in May 2020, the U.S. Department of Homeland
NetWalker: Late in 2020, a dark web Security (DHS) Cybersecurity and Infrastructure Security Agency
actor advertised the sale of data from (CISA), in partnership with the United Kingdom’s National Cyber
a cloud-based healthcare company. Security Centre, released an alert about APTs targeting healthcare
This transpired, according to the actor,
organizations. The report specifically focused on organizations
after they repeatedly reported a bug
causing data leaks and were ignored. supporting and working on COVID-19 vaccine development, such
This compromise was likely from the as “healthcare bodies, pharmaceutical companies, academia, medical
NetWalker ransomware, which has research organizations, and local governments.”
been a key tool in multiple healthcare
sector attacks, including the University Cyber-criminal groups
of California San Francisco attack These actors are almost exclusively financially motivated. These
where servers and data for the School attacks typically either involve the theft and resale of valuable
of Medicine, which was supporting data, including usernames and passwords for IT assets (file servers,
COVID-19 vaccine research, were Microsoft Exchange server) on the victim network, or the theft
encrypted3. The FBI also released an
and sale of proprietary data, such as research or patient health
alert on ransomware and Netwalker in
mid-20204. information.

In 2020, one major attack technique used to monetize exploits was

ransomware. Within the healthcare sector, cyber criminals will often
focus on obtaining access to patient health records, hospital financial
data, or other operational documentation – and encrypt all this data,
making it impossible for the hospital or provider to function. Actors
1 hxxps://www.zdnet[.]com/article/another-ransomware-strain-is-now-stealing-data-before-en-
will then execute ransomware and include instructions on how the
crypting-it/
2 hxxps://healthitsecurity.com/news/ransomware-hacking-groups-steal-leak-data-from-3-more- organization can pay to get their unencrypted files back. Because
healthcare organizations often directly impact human safety and
providers
3 hxxps://healthitsecurity.com/news/ucsf-pays-1.14m-to-netwalker-hackers-after-ransomware-
attack

loss of life, these kinds of attacks can be especially damaging to

4 hxxps://healthitsecurity.com/news/fbi-alerts-to-rise-in-targeted-netwalker-ransomware-attacks

operations. This serves as a critical factor in healthcare organizations

paying the ransom.
© 2021 LookingGlass Cyber Solutions, Inc. All rights reserved. PAGE 4
Hacktivists and ideologically motivated hackers
This group is less active in the healthcare sector, and, while not
completely absent, can be considered less of a concern than HE A LTHCA RE TA RG E TE D
APTs and cyber criminals. RA NSOMWA RE ATTACKS

Actors in this group are motivated by ideology. For example, PYSA: In September 2020, several
a hacktivist may disagree with a clinic’s stance on a specific healthcare sector organizations
medical procedure and choose to execute a disruptive attack, were impacted by this ransomware,
including Nonin Medical and Assured
such as Distributed Denial of Service (DDoS), to momentarily
Imaging, which notified nearly 250,000
take that clinic’s operations and systems down. From a business patients that their data may have been
and operational perspective, this can be very damaging, so exfiltrated through the attack5. In early
these threats are serious. However, they are typically predicated 2021, the FBI and DHS CISA issued a
on an event or news story that draws attention to the issue or joint industry alert about PYSA6.
ideology.
Maze: though Maze operators
announced a détente with healthcare
TO P H E A LT H C A RE S EC TOR T H REATS organizations at the start of the
pandemic7, they continued to ramp
AND ATTACK S I N 2 0 2 0 up attacks in healthcare throughout
2020. Impacted companies included
Throughout 2020, the top three most reported cyber threats Stockdale Radiology, Sunset Radiology,
LookingGlass saw across the external attack surface for the Healthcare Fiscal Management, and
healthcare sector were: New Jersey’s Medical Diagnostics Lab
(MD Lab)8.
Other
10% Conti: Conti is believed by some to
be the successor to Ryuk9 based on
Probes/Scanning
Malicious Host similarities between both malware’s
47%
11% source code and Conti’s inclusion in
the Trickbot infection chains. Conti’s
sophisticated approach includes
obfuscating its source code and
utilizing evasion techniques. Conti is
believed to have attacked and extorted
Leon Medical Centers, Nocona General
Hospital10, and Riverside Community
Care, to name just a few healthcare
organizations. The joint FBI and DHS
Botnet
CISA alert on ransomware targeting
32%
the healthcare sector was updated to
include specific information on Conti.

Probes or scanning is often used by threat actors as the first

Probes or scanning is often used by threat actors as the first

phase of an attack to better understand the external attack
5 hxxps://healthitsecurity.com/news/ransomware-hacking-groups-post-data-from-5-
healthcare-entities
6 hxxps://www.ic3.gov/Media/News/2021/210316.pdf

surface and uncover any vulnerabilities that can be exploited.

7 hxxps://www.beckershospitalreview.com/cybersecurity/hackers-claim-they-will-stop-
targeting-healthcare-organizations-amid-covid-19-outbreak.html
8 hxxps://healthitsecurity.com/news/maze-ransomware-hackers-extorting-providers-posting-

In this respect, probes and scanning can be thought of as a stolen-health-data

9 hxxps://www.bleepingcomputer[.]com/news/security/suncrypt-ransomware-shows-signs-
of-being-ryuks-successor/

reconnaissance-type activity. 10 hxxps://healthitsecurity.com/news/hackers-dump-more-health-data-as-feds-share-

ransomware-factsheet

PAGE 5
 T H R E AT B R I E F
TO P 5 H E A LT H C ARE
BOTN E TS
In 2020, some of the top botnets
LookingGlass observed across the
healthcare sector included:
1. Conficker: 20% – a worm targeting
Microsoft Windows that can infect other
devices on the infected computer’s Local
network. This infection allows an attacker
to access users’ sensitive information.
2. Avalanche Andromeda: 17% –
primarily used to steal credentials and as
a mechanism to install and run additional
malware, the persistence of this bot is
interesting since there was a large law
enforcement takedown of this back in
201711.
3. Irsstealer: 12% – steals sensitive
information, such as passwords or credit
card information, by logging keystrokes.
4. Gumblar: 10% – a malicious JavaScript
trojan horse file that redirects a user’s
Google searches, and then installs rogue
security software.
5. Sality: 8% – used for the purpose
of relaying spam, proxying of
communications, exfiltrating sensitive
data, compromising web servers and/or
coordinating distributed computing tasks
for the purpose of processing intensive
tasks (e.g. password cracking).
11 hxxps://www.securityweek[.]com/authorities-take-down-andromeda-botnet
12 hxxps://nvd.nist.gov/vuln/detail/CVE-2019-0708
13 hxxps://nvd.nist.gov/vuln/detail/CVE-2020-0796
© 2021 LookingGlass Cyber Solutions, Inc. All rights reserved.
Botnets are systems of devices (computers, phones, and even
“smart” devices, such as IoT devices, are the “bots”) that have
been compromised with malware. This allows the devices to
be used or manipulated by an actor, or controller, through
command and control (C2) software. Botnets are often used
for large-scale DDoS attacks, data exfiltration, click or ad
fraud, bitcoin mining, spyware, and spam distribution. The
impact of botnets can range from resource drain, thus driving
up IT costs, to the stealing of critical information.
Malicious hosts are machines that exhibit malicious behavior.
Often times, these machines have been attacked via SSH, FTP,
and Mail-login, or as a result of a brute force attack. Once
these machines have been compromised, they can be used
for a number of malicious behaviors, including hosting and
distributing malware.
Risks and Vulnerabilities
Many threats and attacks, especially ransomware, leverage
vulnerabilities. Across the healthcare sector, two of the most
severe vulnerabilities LookingGlass observed in its assessment
of the sector included:
• CVE-2019-0708: A remote code execution vulnerability
exists in Remote Desktop Services formerly known as
Terminal Services when an unauthenticated attacker
connects to the target system using RDP and sends
specially crafted requests, aka ‘Remote Desktop
Services Remote Code Execution Vulnerability’12. This
vulnerability has a CVSS 3.x severity score of 9.8 (on a
scale of 10).
• CVE-2020-0796: A remote code execution vulnerability
exists in the way that the Microsoft Server Message
Block 3.1.1 (SMBv3) protocol handles certain requests,
aka ‘Windows SMBv3 Client/Server Remote Code
Execution Vulnerability’. This vulnerability has a CVSS 3.x
severity score of 10 (on a scale of 10)13.
LookingGlass also observed significant potential vulnerabilities
tied to specific products and protocols. The top three potential
vulnerabilities across the healthcare sector in 2020 were
CiscoWebVPN, Apache 2.2, and HTTP 1.0. This does not mean
that these products and protocols were compromised – only
that the healthcare sector have many instances of these items
PAGE 6
in use and that they have vulnerabilities that have been exploited in the past and could be exploited in
the future.

Emerging Threats: Internet of Medical Things

Across all sectors and consumer technology, the Internet of Things (IoT) has flooded society and made
it easier to control, compile metrics, track, and report on potentially sensitive information, such as
location. The increased adoption of IoT in the healthcare sector — also known as the Internet of Medical
Things (IoMT) — only accelerated in 2020 with the pandemic. Telehealth usage soared; smart medical
devices enabled remote patient monitoring; and more healthcare technology came onto the market
with internet-enabled capabilities.

A growing area of concern across the healthcare sector is exposed IoMT devices connected to hospital
networks. Researchers have raised concerns that threat actors may use Shodan (an open-source tool
that helps security professionals identify unpatched vulnerabilities in internet-connected devices) to
find exposed internet-connected medical devices and gather intelligence about a potential victim. For
example, Russian-speaking threat actors have been observed translating, publishing, and discussing in a
deep, dark web forum a research article about Shodan search queries14.

More broadly, threat actors have also been observed discussing exposed, traditional medical devices,
such as radiology equipment and software. The objective of these actors is to use medical devices15
to gain unauthorized access to hospital networks and confidential patient data. For example, DICOM
Viewers and Picture Archiving and Communication Systems (PACS) usually run a Remote Desktop
Protocol (RDP), enabling operational support but which is also a common attack vector for ransomware
groups.

Other medical devices have become more IoMT-like in nature, such as wireless infusion pumps,
implanted devices, smart pens, and vital sign monitors16, all of which have been shown to be hackable.
In September 2019, IBM discovered a vulnerability that could allow hackers to take control over insulin
pumps and manipulate readings from medical device monitors, using a Thales flaw.

Similarly, Ripple20 vulnerabilities allow threat actors to manipulate the software on devices such
as infusion pumps17. Several high-profile healthcare-specific devices have been found to have
vulnerabilities that could compromise the machines functionality or the data the machine is supporting.
For example, critical vulnerabilities, collectively named MDhex, have been discovered in medical devices
from GE Healthcare that could allow attackers to remotely access, interfere with how the products
operate, change settings, and can potentially expose protected health information (PHI)18.

While vulnerabilities affecting healthcare technology, such as implanted devices or infusion pumps,
pose a threat to human life, cyber criminals have been the main actor group targeting medical devices.
Their financial motivation means they are more likely to use these vulnerabilities to gain access to
a hospital’s networks or systems to launch a ransomware attack or find medical records to sell on
underground markets.

14 hxxps://jarv[.]is/notes/shodan-search-queries/
15 hxxps://www.offensiveosint[.]io/when-amerka-meets-healthcare-research-on-exposed-medical-devices/
16 hxxps://iotbusinessnews[.]com/2020/11/11/93955-4-iot-medical-devices-that-are-vulnerable-to-hacks/
17 hxxps://www.medtechdive[.]com/news/insulin-pumps-among-millions-of-iot-devices-vulnerable-to-hacker-attacks/584043/
18 MDhex-related CVEs: CVE-2020-6961, CVE-2020-6963, CVE-2020-6964, and CVE-2020-6966. hxxps://www.bleepingcomputer[.]com/news/security/critical-mdhex-vulnerabilities-shake-the-healthcare-sector/

PAGE 7
T H R E AT B R I E F

CONCLUS ION
Cyber threat intelligence trends for the healthcare sector in 2021 show an increase in threat actor activity,
including the exploitation of the sector through a combination of common vulnerabilities coupled with
sophisticated pieces of ransomware.

LookingGlass analysts have observed actors with an increasing interest in the “sharing” of credentials (e.g.,
employee or administrative account names and passwords) as a potential attack vector to gain access to
healthcare organizations. This trend will continue as ransomware campaigns continue to leverage these
techniques for monetary gain. There will also be increased notoriety for these threat actors in compromising
healthcare organizations, as the sector adapts to the escalating cyber threat landscape by implementing
stronger cybersecurity controls and practices.

ABOUT LOOKINGGLASS
LookingGlass develops cybersecurity solutions that empower organizations to meet their missions with
tailored, actionable threat intelligence and threat mitigation capabilities that move at machine speed. For
more than a decade, the most advanced organizations in the world have trusted LookingGlass to help them
protect financial systems, ensure telecommunications are cyber-resilient, and safeguard national security
interests.

Rooted in operationalizing threat intelligence, LookingGlass solutions help reduce the time to detect and
respond to incidents, enable cyber investigations, optimize threat hunt operations, and improve analyst
productivity and efficiency. By linking the risks and vulnerabilities from an organization’s external attack
surface to customized threat actor models, LookingGlass provides a more accurate view of cyber risk and
enables systematic definition and deployment of mitigations to defend against the threats that matter.

For healthcare organizations interested in understanding their external attack surface, including the risks and
vulnerabilities specific to them, contact us at info@lookingglasscyber.com.

© 2021 LookingGlass Cyber Solutions, Inc. All rights reserved. PAGE 8

PAGE 9