North Korea-sponsored cyberattackers have targeted the healthcare sector with crippling ransomware, U.S. national security officials warned.
The cyberattackers have targeted healthcare organizations since at least May 2021 using Maui ransomware, according to a joint advisory from the FBI, Treasury and the Cybersecurity and Infrastructure Security Agency.
“North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services — including electronic health records services, diagnostics services, imaging services, and intranet services,” the agencies said. “In some cases, these incidents disrupted the services provided by the targeted [healthcare and public health] sector organizations for prolonged periods.”
The agencies did not know the initial access points that the cyberattackers used in the attacks.
Cybersecurity company Stairwell investigated Maui ransomware in June and said it discovered that unlike other ransomware services, Maui does not include an embedded ransom note with instructions for how victims may recover systems from the extortionists.
Stairwell principal reverse engineer Silas Cutler’s threat report on Maui said that the ransomware appeared to be manually operated to specify which files to encrypt in an attack, whereas other ransomware attackers may use automated means.
SEE ALSO: North Korea ramped up hacking attempts in 2021: Report
Mandiant intelligence vice president John Hultquist said his team spotted North Korean cyberattackers shifting targets from healthcare organizations to traditional diplomatic and military organizations but the healthcare sector remains extremely vulnerable to extortion.
“Ransomware attacks against healthcare are an interesting development, in light of the focus these actors have made on this sector since the emergence of COVID-19,” Mr. Hultquist said in a statement. “It is not unusual for an actor to monetize access which may have been initially garnered as part of a cyber espionage campaign.”
The Biden administration’s new alert comes after an advisory in May saying that North Korea dispatched workers to infiltrate the tech sector to benefit the authoritarian country’s weapons and missile programs.
That alert noted that while the IT workers normally engage in routine information technology work they also “have used the privileged access gained as contractors to enable [Democratic People’s Republic of Korea’s] malicious cyber intrusions.”
Whether there is a connection between the warning on North Korean infiltrators and the cyberattacks on the healthcare sector is not fully known. Emsisoft threat analyst Brett Callow said a connection is possible.
“While I’m not aware of any evidence [directly] linking DPRK IT workers to ransomware attacks, it’s certainly something that could have happened,” Mr. Callow said in an email to The Washington Times. “Depending on their role, they could have the necessary access to deploy ransomware or to assist malicious actors to gain access to their employers’ network.”
SEE ALSO: China-sponsored hackers compromise six U.S. state gov’t networks, cybersecurity firm says