Hundreds of American hospitals are targeted by cyber attacks by the same Russian hackers who fear American officials and researchers will wreak havoc around next week’s election.
Attacks on US hospitals, clinics and medical complexes are aimed at taking these facilities offline and keeping their data hostage in exchange for multi-million dollar ransom payments, just as coronavirus cases are climbing in the United States.
“We expect panic,” said in Russian a hacker involved in the attacks in a private exchange Monday that was captured by Hold Security, a security firm that tracks criminals online.
Some hospitals in New York State and the West Coast have reported cyber attacks in recent days, although it is not clear if they were part of the attacks, and hospital officials have pointed out that critical care to patients were not affected.
Russian hackers, believed to be based in Moscow and St. Petersburg, have traded a list of more than 400 hospitals they plan to target, according to Alex Holden, the founder of Hold Security, who shared the information with the FBI Mr Holden said the hackers claimed to have infected more than 30 of them already.
On Wednesday, three government agencies – the FBI, the Department of Health and Human Services, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency – warned hospital administrators and security researchers of a “credible threat Cyberattacks on US hospitals, according to a security official who listened to the briefing.
Officials and researchers have not named the hospitals affected, but the Sonoma Valley Hospital in California said it was still trying to restore its computer systems after a breach last week. The St. Lawrence Health System in New York has confirmed that two of its hospitals, Canton-Potsdam and Gouverneur, were hit by ransomware attacks Tuesday morning that caused them to shut down computer systems and hijack ambulances. Sky Lakes Medical Center in Oregon was also crippled by a ransomware attack on Tuesday that froze electronic medical records and delayed surgeries, a hospital representative said.
Employees at that hospital in Klamath Falls, Ore., Were told, “If it’s a PC, shut it down,” said Thomas Hottman, public information manager at Sky Lakes.
It was not clear whether these attacks were related to the ongoing hacking campaign. But the latest breaches were linked to the same Russian hackers who held Universal Health Services, a giant network of more than 400 hospitals, ransomware hostage last month in what was then considered the biggest medical cyberattack of its kind.
Hackers are also the same group behind TrickBot, a vast channel of ransomware attacks that government hackers and tech officials have targeted in two takedowns over the past month.
In late September, United States Cyber Command began hacking TrickBot’s infrastructure in an attempt to deactivate it before the election. Microsoft also began removing TrickBot servers via federal court orders over the past month. According to officials and leaders, the goal of both efforts was to prevent election ransomware attacks that could disrupt the vote or create delays that would undermine confidence in the election.
But the researchers said the deletions had an unintended effect: cutting off hackers’ access to security detectors. “The challenge here is that due to the withdrawal attempts, the TrickBot infrastructure has changed and we don’t have the same telemetry that we had before,” Holden said.
The latest campaign on US hospitals suggests that the developers of TrickBot are not discouraged. It also shows that they are moving towards different hacking methods and tools.
“They don’t need TrickBot because they have a whole arsenal of other tools they can use,” said Kimberly Goody, analyst at Mandiant, a division of digital security firm FireEye.
Ms Goody said the tools used in the latest attacks on hospitals first appeared in April and were not as well known, which made them more effective.
It was not clear if the latest attacks at the hospital were in retaliation for the TrickBot demolitions. Microsoft said it has taken more than 90% of TrickBot servers offline.
Mr Holden described the group as a “wounded animal” and said the latest attacks were not as well planned as the previous ones. They were also a notable departure from an agreement between ransomware groups in March not to target hospitals due to the coronavirus pandemic, he said.
“We now have more sick people in this country than we had in March and April,” Holden said. “It’s wrong.”
By targeting hospitals now, Ms. Goody said, the hackers “were showing a clear contempt for human life.”
Hackers have also demanded higher ransoms from hospitals than in previous attacks. In an attack on an unnamed private clinic, Mr Holden said, hackers held systems hostage for the Bitcoin equivalent of more than $ 5 million, more than double the typical ransom the group received. had asked months earlier.
Hackers, Mr Holden said, used to base these demands on an old Russian formula, charging 10% of a victim’s annual income.
“There is an old Russian tradition of giving 10% of annual income to the church,” he said. “This is the way hackers do the same.”
Reed Abelson contributed reporting.