America’s veterans have served our country and protected our freedoms, sometimes at the expense of their own well-being and health. They have sacrificed while fighting our adversaries, and that sacrifice continues beyond their active duty status. Adversaries are still pursuing veterans and their personal information in cyberspace.
The area where veterans are perhaps the most vulnerable is the health care sector. Nation-states, criminals, and hacktivists go after their personally identifiable information (PII), and some of the most robust and sensitive PII are medical records and insurance information.
We have seen Chinese cyber threat groups in particular specifically search for organizational charts and employee contact information on government networks. Government networks are not the only places with this sort of information. Notably, China was also behind the Anthem breach and the hack of the Office of Personnel Management, both in 2015. It is quite possible that China is cross-referencing those two massive databases to identify sensitive PII specifically on members of the U.S. military.
Just because veterans are no longer on active duty does not mean they automatically stop being targets. On the contrary, after years of military service, many veterans are well-connected.
If a nation-state manages to hack into a veteran’s personal email by drawing on PII to craft a believable spear-phishing email, that foreign government would quickly discover personal contacts who are military and former military.
Even more disturbing, terrorists are also interested in stealing veteran’s personal information. ISIS-affiliated hackers have published several “kill lists” with U.S. soldiers’ names and addresses listed. FireEye assesses that these hackers found this personal information on the Internet, without needing to hack into a network.
Unfortunately, data can be found in surprising places. A year and a half ago, 11 gigabytes of personal information about active military healthcare professionals were found on a subcontractor’s misconfigured, outward-facing server. When data like this is available, adversaries do not even need technical sophistication to steal valuable information.
Veterans have also fallen victim of non-targeted cyber intrusions. Cyber criminals routinely attempt to steal personal health records to sell on the dark web, given how valuable such records are. As an example of a non-targeted cyber attack, the Conficker worm infected 104 medical devices at a U.S. Department of Veterans Affairs (VA) hospital in Florida in 2012 simply because a vender updated the devices with a thumb drive that had unknowingly been infected.
As policymakers determine whether to privatize veterans’ health care and to what extent, cyber threat considerations should be at the forefront. Who is best equipped to safeguard veterans’ medical information? What are best practices for transferring medical records between providers?
Given the sheer number of veterans with PII housed in a wide range of medical facilities, there are many IT challenges. However, no problem has been too big for our veterans to tackle as they have fought adversaries on our behalf and defended our freedoms. Let us rise to the challenge and make securing their data a high priority. As veterans have protected us, it is now our turn to protect them.
Sarah Geary is an executive briefer at FireEye, providing FireEye executives weekly updates on cyber intelligence and briefing senior corporate and government clients worldwide. Prior to joining FireEye, Geary served nearly a decade in government, focusing mostly on strategic cyber threat analysis. She regularly briefed and wrote assessments for senior policymakers in the U.S. government on new cyber trends and their associated risks and opportunities.