TimisoaraHackerTeam Ransomware Group Linked with Recent Attack on U.S. Cancer Center
An alarm has been sounded about a relatively unknown threat group called TimisoaraHackerTeam following a recent attack on a U.S. medical facility. TimisoaraHackerTeam is believed to be a financially motivated threat group, which in contrast to many cybercriminal and ransomware groups, has no qualms about attacking the healthcare and public health (HPH) sector and appears to actively target HPH sector organizations, mainly conducting attacks on large organizations. The group was first identified in July 2018 but has largely stayed under the radar.
According to the Healthcare Sector Cybersecurity Coordination Center (HC3), which issued the alert on June 16, the group has resurfaced and conducted a June 2023 ransomware attack on a U.S. cancer center which rendered its digital services unavailable, put the protected health information of patients at risk, and significantly reduced the ability of the medical center to provide treatment for patients.
The group has exploited known vulnerabilities to gain initial access to HPH sector networks, then escalates privileges, moves laterally, and encrypts files. The group uses Microsoft’s native disk encryption tool, BitLocker, along with Jetico’s BestCrypt, rather than custom ransomware. This allows the group to encrypt files without being detected by security solutions. Previous attacks that have been loosely attributed to TimisoaraHackerTeam include an attack on a French hospital in April 2021 which involved similar living-off-the-land tactics, and an attack on Hillel Yaffe Medical Center in Israel, which resulted in the cancellation of non-elective procedures and forced the medical center to switch to alternative systems to continue to provide patient care.
According to the cybersecurity firm Varonis, the attack on Hillel Yaffe Medical Center in Israel is thought to have involved the exploitation of a known and unpatched vulnerability in the Pulse Secure VPN, with the hackers then using living-off-the-land techniques for the next stages of the attack to evade security solutions. Varonis says reports of attacks by TimisoaraHackerTeam mostly date to 2018, and while it is possible that the group has resurfaced, the DeepBlueMagic threat group may be an evolution of TimisoaraHackerTeam or DeepBlueMagic may have simply adopted the same tactics as TimisoaraHackerTeam. The same tactics have also been used by hackers in China, with those attacks attributed to an Advanced Persistent Threat Group that is tracked as APT41, although it is unclear to what extent, if any, these threat actors are linked.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In addition to exploiting Pulse Secure VPN vulnerabilities, TimisoaraHackerTeam has targeted vulnerabilities in Microsoft Exchange Server and Fortinet firewalls and uses poorly configured Remote Desktop Protocol to move laterally within networks. The recent attack on the cancer center serves as a warning that the group is still active, and that network defenders should take steps to improve monitoring and protect their networks from attacks. Further details on the group and its tactics, techniques, and procedures can be found in the HC3 HPH Sector Cybersecurity Notification.