The FBI, the Department of Health and Human Services (HHS), and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) warned Wednesday that cybercriminals were stepping up ransomware attacks on health sector groups as the organizations grappled with a new wave of COVID-19 cases.
"CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers," the agencies wrote in a joint alert.
The agencies warned that the cybercriminals behind the attacks were deploying Ryuk malware, a ransomware virus that was recently linked to an attack on a German hospital that crashed servers and led to the death of woman who was unable to receive life-saving care.
The virus was also involved in an attack on Pennsylvania-headquartered hospital chain Universal Health Services, with all 250 of its U.S. healthcare facilities negatively impacted by a ransomware attack earlier this month.
Multiple hospitals and healthcare groups in the U.S. have been targeted this week, including three hospitals in New York’s St. Lawrence County and Sky Lakes Medical Center in Oregon, which the medical center confirmed in a Facebook post on Tuesday.
“Sky Lakes retail pharmacies and clinics are all open,” the medical center wrote in a Wednesday post. “With our computer system still compromised by the ransomware attack, business is functioning although slower.”
The three federal agencies noted Wednesday that they were "sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats."
Cybersecurity group FireEye released a report Wednesday night detailing the attacks, attributing them to an an Eastern European group known as "UNC1878."
“The operators conducting these campaigns have actively targeted hospitals, retirement communities and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life,” FireEye threat researchers wrote in the report.
Reuters reported that the FBI was probing the recent attacks, while CyberScoop reported that the FBI, HHS, and DHS held a call with private sector groups on Wednesday to discuss the new cyber threats to U.S. hospitals and healthcare groups.
HHS and CISA did not respond to The Hill's request for comment on the call, while a spokesperson for the FBI declined to comment beyond the joint alert.
Charles Carmakal, the senior vice president and chief technology officer of FireEye’s Mandiant Threat Intelligence, said in a statement provided to The Hill that the UNC1878 threat group is “one of the most brazen, heartless, and disruptive threat actors I’ve observed in my career.”
“Ransomware attacks on our healthcare system may be the most dangerous cyber security threat we’ve ever seen in the United States,” Carmakal said. “UNC1878, an Eastern European criminal threat actor, is deliberately targeting and disrupting U.S. hospitals with ransomware, forcing them to divert patients to other healthcare providers. Patients may experience prolonged wait time to receive critical care.”
He noted that “multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline. As hospital capacity becomes more strained by COVID-19, the danger posed by this actor will only increase.”
Ransomware attacks have become an increasing concern to hospitals worldwide during the COVID-19 pandemic, with hackers looking to take advantage of cyber vulnerabilities at a time when hospitals are particularly desperate to ensure systems remain up and running.
Carmakal said Wednesday that Mandiant was “releasing a significant amount of information about UNC1878 to help organizations defend their networks” and mitigate cyber threats to these critical groups.