Saturday, October 31, 2020

Corona Daily 281: This is not a Drill. You are Under Attack.


This week, ransomware hackers started their attacks on American hospitals.

Wiser after the 2016 experience, the USA was worried about hackers attacking the November elections. Trickbot is a computer virus, popular with top class hackers. The attacker can encrypt the files, corrupt or lock the data, stop the functioning of the computers. Then the hacker asks for a ransom to restore access. This can be done to disrupt elections, distort or delay results.

Keeping that in mind, in September, Microsoft started disabling Trickbot servers. To its surprise, Microsoft found the US cyber command doing the same. (The two could have coordinated and made the operation more efficient). Microsoft said more than 90% Trickbot servers were taken offline.

*****

This was like building a fence so as to prevent a burglar from entering your house. Unfortunately, when you build a fence it hides the burglar on the other side. By disabling the Trickbot servers, the cyber-detectives were no longer able to detect the activity of the hackers. Not known if the hackers behaved like wounded animals, and attacked the hospitals in retaliation. Or they may be simply too desperate. There are limits to how low terrorists or crooks can go. Many hijackers let women and children go before holding men hostage. Reportedly, in March, there was a “gentleman’s agreement” among hackers not to attack hospitals during the pandemic. That promise was broken this week.

*****

Healthcare hardware like MRI machines, ventilators, microscopes are actually computers. Like our laptops, they come with software that needs to be supported, updated and protected. Inertia makes many hospitals continue with old software. That makes machines vulnerable to hackers’ attacks. Such medical devices are dangerous for the patients. In September, a ransomware attack on a German hospital resulted in the death of a woman seeking emergency treatment.

*****

As usual, Russian hackers are named as the prime suspects.

Earlier this month, UK confirmed the Russian attempts to disrupt the 2018 winter Olympics as well as the 2020 Tokyo Olympics. The alleged organizer was GRU unit 74455. GRU is Russia’s foreign military intelligence agency. On Monday, 19 October, USA indicted six Russian military intelligence officers for the Olympic plan as well as attacking a Pennsylvania hospital with the “NotPetya” malware. Colloquially known as the “Sandworm team”, the GRU hackers work from “the Tower”, the GRU head office in Moscow.

The US justice department in its 50-page indictment estimated the total worldwide damage by “NotPetya” to be more than $10 billion, inflicted on 300+ victims.

*****

This week’s affected hospitals have not been named by the US government officially. However, Sonoma valley hospital (California), two hospitals of St Lawrence Health system (New York) and Sky Lakes medical center (Oregon) announced they were crippled by the cyberattacks. Computer systems had to be shut down, ambulances diverted, surgeries delayed and several medical records no longer available.

Hold security, a company that tracks online criminals, reports one hacker saying “we expect panic” in Russian. Reportedly, the ransom rates have gone much higher, in one case more than $5 million in bitcoins. (My article on bitcoins, if you don’t know what it means). Alex Holden, the founder of Hold security said hackers use the traditional Russian formula of charging 10% of a victim’s annual revenue. (In the old days, that percentage was donated to the church.)

*****

Reports say the hackers plan to attack hundreds of American hospitals, while America is busy with elections and their aftermath. Unless urgent countermeasures are taken, the hospitals will not know which virus to deal with.

Ravi 

2 comments: