Professional Documents
Culture Documents
May 2021
TA B LE O F CO NTENTS
E xe cu t i ve Su mmary . . . . . . . . . . . . . . . . . . . . . ................................. 3
Co n cl u s i on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .................................. 8
Request a Demo
E XECUTIV E S U M M A RY
Over the past several years, cybersecurity attacks targeting the healthcare industry have continued on an
upward arc. These attacks are occurring alongside two worrying trends. First, the attack surface has expanded
with electronic health records and more use of connected medical devices (e.g., the Internet of Medical
Things, or IoMT). Secondly, adversaries have recognized the potential of exploiting older software tied to
operational health technology that can be difficult to patch for vulnerabilities, such as compromising an X-ray
or MRI machine.
In 2020, reports indicated that cyber-attacks on the healthcare industry more than doubled from 2019, with
ransomware accounting for 28 percent of all attacks. While previous healthcare sector cyber-attacks focused
primarily on providers, from large hospital systems to smaller private practices, the COVID-19 pandemic
exposed vulnerabilities in the entire healthcare sector. Attackers, especially financial cyber criminals, targeted
organizations involved in COVID-19 response, such as bio-pharmaceutical companies, university-based
The purpose of this Threat Brief is to provide an overview of threats LookingGlass has observed from our
external attack surface management solution and from regular open-source research and intelligence to
support our customers. Healthcare sector organizations can use this Threat Brief to understand adversary/
actor profiles, motivations/objectives, and types of threats and tactics used by adversaries targeting the
sector as a whole.
At LookingGlass, we have monitored the healthcare sector since 2009. We believe that understanding
one’s cyber vulnerabilities, threats, and threat actors are critical to obtaining a more accurate view of one’s
risk exposure. This holistic perspective is necessary for developing incident response plans, implementing
mitigations, refactoring compensating controls, and informing adversary management strategies.
PAGE 3
T H R E AT B R I E F
Actors in this group are motivated by ideology. For example, PYSA: In September 2020, several
a hacktivist may disagree with a clinic’s stance on a specific healthcare sector organizations
medical procedure and choose to execute a disruptive attack, were impacted by this ransomware,
including Nonin Medical and Assured
such as Distributed Denial of Service (DDoS), to momentarily
Imaging, which notified nearly 250,000
take that clinic’s operations and systems down. From a business patients that their data may have been
and operational perspective, this can be very damaging, so exfiltrated through the attack5. In early
these threats are serious. However, they are typically predicated 2021, the FBI and DHS CISA issued a
on an event or news story that draws attention to the issue or joint industry alert about PYSA6.
ideology.
Maze: though Maze operators
announced a détente with healthcare
TO P H E A LT H C A RE S EC TOR T H REATS organizations at the start of the
pandemic7, they continued to ramp
AND ATTACK S I N 2 0 2 0 up attacks in healthcare throughout
2020. Impacted companies included
Throughout 2020, the top three most reported cyber threats Stockdale Radiology, Sunset Radiology,
LookingGlass saw across the external attack surface for the Healthcare Fiscal Management, and
healthcare sector were: New Jersey’s Medical Diagnostics Lab
(MD Lab)8.
Other
10% Conti: Conti is believed by some to
be the successor to Ryuk9 based on
Probes/Scanning
Malicious Host similarities between both malware’s
47%
11% source code and Conti’s inclusion in
the Trickbot infection chains. Conti’s
sophisticated approach includes
obfuscating its source code and
utilizing evasion techniques. Conti is
believed to have attacked and extorted
Leon Medical Centers, Nocona General
Hospital10, and Riverside Community
Care, to name just a few healthcare
organizations. The joint FBI and DHS
Botnet
CISA alert on ransomware targeting
32%
the healthcare sector was updated to
include specific information on Conti.
PAGE 5
T H R E AT B R I E F
A growing area of concern across the healthcare sector is exposed IoMT devices connected to hospital
networks. Researchers have raised concerns that threat actors may use Shodan (an open-source tool
that helps security professionals identify unpatched vulnerabilities in internet-connected devices) to
find exposed internet-connected medical devices and gather intelligence about a potential victim. For
example, Russian-speaking threat actors have been observed translating, publishing, and discussing in a
deep, dark web forum a research article about Shodan search queries14.
More broadly, threat actors have also been observed discussing exposed, traditional medical devices,
such as radiology equipment and software. The objective of these actors is to use medical devices15
to gain unauthorized access to hospital networks and confidential patient data. For example, DICOM
Viewers and Picture Archiving and Communication Systems (PACS) usually run a Remote Desktop
Protocol (RDP), enabling operational support but which is also a common attack vector for ransomware
groups.
Other medical devices have become more IoMT-like in nature, such as wireless infusion pumps,
implanted devices, smart pens, and vital sign monitors16, all of which have been shown to be hackable.
In September 2019, IBM discovered a vulnerability that could allow hackers to take control over insulin
pumps and manipulate readings from medical device monitors, using a Thales flaw.
Similarly, Ripple20 vulnerabilities allow threat actors to manipulate the software on devices such
as infusion pumps17. Several high-profile healthcare-specific devices have been found to have
vulnerabilities that could compromise the machines functionality or the data the machine is supporting.
For example, critical vulnerabilities, collectively named MDhex, have been discovered in medical devices
from GE Healthcare that could allow attackers to remotely access, interfere with how the products
operate, change settings, and can potentially expose protected health information (PHI)18.
While vulnerabilities affecting healthcare technology, such as implanted devices or infusion pumps,
pose a threat to human life, cyber criminals have been the main actor group targeting medical devices.
Their financial motivation means they are more likely to use these vulnerabilities to gain access to
a hospital’s networks or systems to launch a ransomware attack or find medical records to sell on
underground markets.
14 hxxps://jarv[.]is/notes/shodan-search-queries/
15 hxxps://www.offensiveosint[.]io/when-amerka-meets-healthcare-research-on-exposed-medical-devices/
16 hxxps://iotbusinessnews[.]com/2020/11/11/93955-4-iot-medical-devices-that-are-vulnerable-to-hacks/
17 hxxps://www.medtechdive[.]com/news/insulin-pumps-among-millions-of-iot-devices-vulnerable-to-hacker-attacks/584043/
18 MDhex-related CVEs: CVE-2020-6961, CVE-2020-6963, CVE-2020-6964, and CVE-2020-6966. hxxps://www.bleepingcomputer[.]com/news/security/critical-mdhex-vulnerabilities-shake-the-healthcare-sector/
PAGE 7
T H R E AT B R I E F
CONCLUS ION
Cyber threat intelligence trends for the healthcare sector in 2021 show an increase in threat actor activity,
including the exploitation of the sector through a combination of common vulnerabilities coupled with
sophisticated pieces of ransomware.
LookingGlass analysts have observed actors with an increasing interest in the “sharing” of credentials (e.g.,
employee or administrative account names and passwords) as a potential attack vector to gain access to
healthcare organizations. This trend will continue as ransomware campaigns continue to leverage these
techniques for monetary gain. There will also be increased notoriety for these threat actors in compromising
healthcare organizations, as the sector adapts to the escalating cyber threat landscape by implementing
stronger cybersecurity controls and practices.
ABOUT LOOKINGGLASS
LookingGlass develops cybersecurity solutions that empower organizations to meet their missions with
tailored, actionable threat intelligence and threat mitigation capabilities that move at machine speed. For
more than a decade, the most advanced organizations in the world have trusted LookingGlass to help them
protect financial systems, ensure telecommunications are cyber-resilient, and safeguard national security
interests.
Rooted in operationalizing threat intelligence, LookingGlass solutions help reduce the time to detect and
respond to incidents, enable cyber investigations, optimize threat hunt operations, and improve analyst
productivity and efficiency. By linking the risks and vulnerabilities from an organization’s external attack
surface to customized threat actor models, LookingGlass provides a more accurate view of cyber risk and
enables systematic definition and deployment of mitigations to defend against the threats that matter.
For healthcare organizations interested in understanding their external attack surface, including the risks and
vulnerabilities specific to them, contact us at info@lookingglasscyber.com.