Shields Up: Russia/Ukraine Cyberwar Preparation & Response for Healthcare
Published On March 1, 2022
Blog Post by Brian Selfridge, Meditology Services Leadership
Healthcare organizations are scrambling to adjust their cybersecurity preparation and response capabilities in the wake of potential cyberattacks stemming from the ongoing conflict between Russia and Ukraine.
“Russia’s unprovoked attack on Ukraine, which has involved cyberattacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies. Every organization - large and small - must be prepared to respond to disruptive cyber activity.” - U.S. Cybersecurity Infrastructure and Security Agency 
Meditology has been monitoring the situation closely and advising our healthcare clients on the latest threat vectors and response approaches. This blog post provides guidance for US-based healthcare entities for preparing and responding to cyberattacks and cyberwar tactics deployed as part of this ongoing conflict.
Russia-Ukraine Cyberwar Overview
Russia’s attack on Ukraine has included a barrage of cyberattacks that could potentially introduce targeted or collateral damage to many industries including healthcare. Cyberattacks stemming from this conflict are likely to impact organizations and the software supply chain both within and outside of Eastern Europe.
Healthcare entities in the U.S. are already facing a barrage of ransomware attacks stemming from Russian and Eastern European sources that specifically target healthcare organizations. Refer to the following resources for more information on these attacks:
- Case Study: Ransomware Locks Up 80% of 54-Hospital Health System
- Your Health Held Hostage: What Ransomware Means for Patients
- Urgent Bulletin: FBI Alert on Imminent Ransomware Attack on U.S. Hospitals
- Webinar Replay: Healthcare’s Response to a ‘Credible and Imminent’ Ransomware Attack
- Podcast: The Rising Stakes of Ransomware During the Global Pandemic
In addition to direct attacks, many of healthcare’s third-party and fourth-party vendors have assets in the region and could be impacted by the escalation of cyberattacks.
Counter-attacks from hacktivists and other enties could also escalate collateral cyber damage. The infamous hacktivist group, Anonymous, has been active in defending Ukrainian cyber assets and conducting offensive attacks against Russian assets. Another hactivist group called the Cyberpartisians has also been active in Ukraine’s cyber defense.
Healthcare enties must be vigilant in preparing and responding to cyberattacks. The following sections of this blog provide more intelligence on specific threat actors and methods as well as recommendations for healthcare organizations to prepare and respond to attacks.
Russia’s Cyberwar Capabilities & Attack Methods
Russia has launched a wide range of cyberattacks targeting Ukraine including destructive malware, DDoS, phishing, brute-force, defacement, and ransomware attacks.
Microsoft Threat Intelligence Center (MSTIC) and other threat intelligence sources have disclosed that the WhisperGate destructive malware is actively being used to target organizations in Ukraine and beyond.
The HermeticWiper malware is also in active use, which results in boot failure and renders systems inoperable. The HHS Health Sector Cybersecurity Coordination Center (HC3) urged healthcare organizations to remain on high alert due to the destructive nature of HermeticWiper malware. 
Recent CISA and FBI advisories have noted that “destructive malware may use popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from websites, and virus-infected files downloaded from peer-to-peer connections. Malware seeks to exploit existing vulnerabilities on systems for quiet and easy access.” The advisories further state that “the malware has the capability to target a large scope of systems and can execute across multiple systems throughout a network. As a result, it is important for organizations to assess their environment for atypical channels for malware delivery and/or propagation throughout their systems.” 
The cybersecurity firm, Mandiant, has also completed extensive and ongoing analysis of Russia’s cyberattack groups and capabilities.  Cyberattack groups linked to the Kremlin are designed to serve multiple functions including general espionage and offensive cyberattack capabilities. Mandiant notes that three Russian teams in particular are focused specifically on cyberattacks. These cyberattack groups are Sandworm, Temp.Isotope, and Temp.Veles.
Targeting from these Russia cyberattack groups focuses on the software supply chain (e.g. SolarWinds), strategic web compromises, and direct targeting of organizations. There are several types of attacks employed that range from gaining initial access and waiting for future exploitation of assets, wiping or destroying target systems, and deploying ransomware or fake ransomware attacks.
The CISA has also released also details about a new malware called Cyclops Blink that targets network devices and is being used by the Russian Sandworm threat actor.  The Cyclops Blink malware collects device information, sends it to a command and control server, and is capable of downloading and executing files, as well as pulling down more code or exploits a later time.
Some independent researchers have located web services hosting cloned copies of a number of Ukrainian government websites. For example, the main webpage of Ukraine’s Office of the President is reportedly booby-trapped with malware.  The cloned version of this website was modified to contain a clickable ‘Support the President’ campaign that, once clicked, downloads a package of malware to the user’s computer.
Analysis of Darknet Cyberwar Activity
A leading threat intelligence provider, DarkOwl, has provided insights and analysis into dark web discussions and data exchanges related to the Russian attack on Ukraine.  DarkOwl compiled and reviewed Ukraine-related data on popular deep web forums.
According to DarkOwl, several Ukrainian government networks were compromised during a series of cyberattacks in January of this year. The WhisperGate destructive malware (discussed earlier in this blog) was deployed in these instances.
Within hours of Russia’s initial cyberattacks against Ukraine in January, data described as originating from the Ukrainian government appeared on forums across the darknet and deep web.
Many of the leaked archives of data were created within a few hours of the attacks; and there are no indications they were directly obtained as a result of the January attacks.
Multiple Ukrainian government, non-profit, and Information Technology organizations experienced cyberattacks and website defacements. Attackers used a ransomware-style malware as the primary attack vector. Ominous messages were posted in Ukrainian, Polish, and Russian:
“UKRAINIANS! ALL YOUR PERSONAL DATA WAS UPLOADED TO THE INTERNET. ALL DATA ON THE COMPUTER IS BEING DESTROYED. ALL INFORMATION ABOUT YOU BECAME PUBLIC. BE AFRAID AND EXPECT THE WORST.”
Image source: DarkOwl 
One of the leaked databases was a healthcare database called medstar.sql. Medstar is a commercial cloud-based ‘digital-medicine provider’ with telemedicine, prescription, medical imaging, and laboratory medical services in Ukraine.
Another database contained information from a mobile app with official documents of citizens, although information for only 77 individuals was made available in the dark web database.
Image source: DarkOwl 
It is important to note that DarkOwl stated that “there is no evidence to conclude any of the recently shared data was sourced during the mid-January cyberattacks.” They also noted that the mid-January website defacements appeared to be a Russian-sourced false flag operation intended to incriminate Poland in the Ukraine hacks. The Polish translation used in the attack was determined to be from a non-native speaker and was likely generated with Google Translate.
It should be noted that Ukraine has officially attributed these defacement attacks to a cybercriminal group operating out of Belarus (UNC1151).
Recommendations for Healthcare CISOs and CEOs
The American Hospital Association (AHA) has issued guidance for healthcare organizations about the growing cyber threat from rising geopolitical tensions. AHA said that “hospitals and health systems may become incidental victims of, or collateral damage to, Russian-deployed malware or destructive ransomware that inadvertently penetrates U.S. health care entities.” 
As a result, healthcare organizations must heighten alerts and preparations for attacks on their infrastructure and supporting IT systems and applications. Healthcare entities must also defend against risks associated with third-party vendors and the software supply chain. Approaches for protecting the supply chain include identifying potential targets in the vendor portfolio, identifying which vendors are susceptible to these latest attacks vectors, and monitoring the resilience capabilities of vendors.
Guidance from the CISA, FBI, & NSA
The U.S. federal government has issued a series of guidance materials to help organizations prepare and defend against rising cyberattacks during this conflict. The guidance is aimed at reducing the likelihood of a damaging cyber intrusion. 
Specific recommendations for healthcare entities include:
- Validate MFA is in place for remote and privileged access
- Ensure software is up to date
- Disable unnecessary ports and protocols
- Validate cloud security configurations are aligned with industry best practices*
Contact Meditology to learn more about leading practices and services for securing cloud configurations. We offer a range of cloud security services including cloud risk assessments, penetration testing, cloud security strategic planning, implementation validation and consulting, API assessments, and more.
The CISA also recommends taking steps to quickly detect a potential intrusion including:
- Enabling logging
- Focusing cybersecurity and IT personnel on monitoring activities
- Confirming anti-malware software is applied across all systems
- Monitoring and inspecting any traffic coming from Russia or Ukraine and reviewing access controls for any related traffic
Guidance also includes ensuring that the organization is prepared to respond if an intrusion occurs including:
- Designating a crisis response team
- Identifying points of contact for technology, communications, legal and business continuity resources
- Ensuring availability of staff and providing a means to handle surge support for incident response
- Conducting routine tabletop exercise
The CISA has also weighed in on ways that healthcare entities can maximize the organization's resilience to a destructive cyber incident including testing backup procedures for critical data and systems and isolating backups from network connections.
The U.S. federal government urges CEOs and leaders to empower Chief Information Security Officers during this crisis. Organizations are advised to lower reporting thresholds to identify, capture, and respond to attacks or abnormal network activity. Healthcare organizations are further advised to focus on business continuity processes and capabilities and to “plan for the worst”.
Refer to the following resources for additional guidance on business continuity ad incident response planning:
- Infographic: The Secret Sauce for Cybersecurity Incident Response
- Podcast: In the Eye of the Hurricane: Business Continuity and Emergency Preparedness
- Podcast: People Get Ready, Cyber Incidents are Coming
- Blog Post: The Show Must Go On | Maintaining Continuity for InfoSec in a Crisis
The CISA has also issued an alert to specifically protect against destructive malware like the WhisperGate and HermeticWiper malware used in Russia’s latest attacks against Ukrainian assets. 
Recommendations from the CISA’s alert AA22-057A: Destructive Malware Targeting Organizations in Ukraine includes recommendations to:
- Establish network segmentation and ACLs
- Put network and storage devices on restricted VLANs
- Require Multi-factor Authentication (MFA) for remote and privileged access
- Restrict the “Everyone”, “Domain Users”, and “Authenticated Users” groups
- Restrict service accounts including denying access to network shares and prohibiting local or interactive logons
- Log and monitor network flow, detect port scanning, and detect network configuration changes
- Stagger automated patching schedules in case patching deployment systems get hijacked
- Harden systems with patching, scanning, and best practice OS configurations
- Perform a Business Impact Analysis (BIA)
Cyberattacks stemming from the Russian invasion of Ukraine are likely to continue for some time as the conflict escalates and evolves into the summer and beyond.
Healthcare organizations must continue to make proactive investments in cybersecurity defense and response capabilities. Organizations must maintain a heightened state of readiness to combat the growing threats of ransomware and the potential for escalations in cyber warfare in the months ahead.