The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare and Financial Services Remain Top Targets for Cyber Threat Actors

Posted By on Aug 4, 2023

Healthcare and financial services were the two most attacked industries, according to Blackberry’s latest Global Threat Intelligence Report. The data for the report was collected from March to May 2023 from its cybersecurity solutions, which blocked more than 1.5 million attacks at a rate of around 11.5 attacks per minute, with 1.7 novel malware samples detected per minute – A 13% increase from the previous reporting period.

During the reporting period, Blackberry detected 13,433 unique malware binaries and prevented over 109,922 disparate attacks across the wider healthcare sector. Ransomware and information stealing malware were highly prevalent. The RedLine information stealer and the Amadey bot were regularly blocked threats. Amadey has information stealing capabilities and is often used to perform reconnaissance before downloading additional malicious payloads. The Emotet, IcedID, and SmokeLoader malware families were also extensively used in attacks on the sector, all of which have information stealing capabilities and can download additional malware payloads.

The healthcare industry continues to be an attractive target for cyber threat actors due to the volume of sensitive data stored by healthcare organizations, the ease of monetizing that data, and the reliance on access to data and computer systems for providing critical services, which makes the sector a highly attractive target for financially motivated threat groups.

It is not only financially motivated cybercriminal groups that are attacking the healthcare industry. State-sponsored threat actors are breaching healthcare defenses and stealing confidential medical data, and cyber threat groups have targeted the sector in retaliation for the U.S. providing support for Ukraine. The RomCom group, for example, targeted U.S. medical groups providing humanitarian aid to Ukrainian refugees.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Two advanced persistent threat (APT) groups were highly active during the reporting period: APT28 (aka Sofacy/Fancy Bear) and Lazarus Group (aka Labyrinth Chollima, Hidden Cobra, Guardians of Peace, Zinc, and Nickel Academy). APT28 is a highly skilled cyber espionage group thought to operate on behalf of the Russian government and Lazarus Group is thought to be a North Korean state-sponsored threat actor.

Attacks on government and public sector services were up 40% on the previous reporting period, with 55,000 attacks on public sector organizations blocked during the 90-day reporting period. Ransomware groups such as LockBit, Royal, BlackCat/ALPHV, and Clop were highly active, accounting for a large percentage of the attacks on city, state, and government systems and public sector organizations. These attacks included the LockBit ransomware attack on the City of Oakland, CA, BlackByte’s Royal ransomware attacks on the cities of Dallas, TX, and Augusta, GA, and the Clop group’s mass exploitation of a zero-day vulnerability in the MOVEit Transfer file transfer solution.

Some of the most common tools used by threat actors include AdFind for stealing information from Active Directory (AD), Mimikatz for credential theft, Cobalt Strike as an attack framework, and Extreme RAT for remote access, malware delivery, and espionage. The most common malware families detected and blocked across all industry sectors were droppers/downloaders such as Emotet, PrivateLoader, and SmokeLoader; information stealers such as RedLine, Racoon Stealer, Vidar, and IcedID; and remote access Trojans such as Agent Tesla. Blackberry’s telemetry shows a 13% increase in unique malware samples, indicating threat actors are diversifying their tooling when compiling their malware. While the malware used is similar, the compilation process produces different hashes for similar samples in order to evade the simple feeds and filters used by more traditional security operations centers.

Blackberry predicts the number of attacks on the healthcare industry will continue to increase and recommends prioritizing detection of the most frequently used tactics in the attacks – discovery and defense evasion. Learning about the tactics, techniques, and procedures used by threat groups can help network defenders significantly reduce the impact of attacks, and will aid their threat hunting, incident response, and recovery efforts.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist