News first hit media outlets on Monday, June 27, 2016 that a U.S. healthcare database had been breached and half a million patient records had been stolen and posted for sale on the Dark Web. Later reports suggested even more records had been stolen when the hacker advertised another 9.3 million files of patient information – bringing the total to a staggering 10 million personal health records of American citizens for sale from multiple organizations in the health industry.
A team at our company, Cymmetria, was one of the groups that uncovered the extent of this incident. The media’s information was incomplete at first, and when we saw the alleged hacker continuing to post on the Dark Web, we saw that there were actually three different sales posted. Among the organizations supposedly affected were healthcare providers from New York, Missouri, and Oklahoma, in addition to a large nationwide health insurer.
The hacker has kept the names of the affected organizations anonymous, auctioning off their private data to the highest bidder.
The hacker, who refers to himself as “thedarkoverlord,” claimed that the attack succeeded due to use of a 0-day vulnerability in the healthcare organizations’ remote desktop services, bypassing the controls put in place to prevent malicious users from gaining remote access to systems. But is this claim an attempt to draw our attention away from how the hacker actually got in?
Such a vulnerability would only enable access, and for the attacker to successfully steal this much data, gaining access to the network would not be enough. The accepted tradecraft for moving about the network and gaining access to more systems, as is very likely to have been the case here, is lateral movement, or “pivoting.” The attacker uses information on a system to figure out where to go next using the credentials of a real user, so as not to cause an anomaly that can be detected by defensive measures.
After bypassing preventative security measures such as sandboxing, hackers reach endpoints and bypass endpoint security solutions. They can then proceed to pivot and perform lateral movement within the network as described above, allowing them to obtain much more information. This is obviously problematic and requires new types of controls to be used, such as cyber deception.
Such an attack has many implications.
On a personal level, 10 million Americans now face the fact that their personally identifiable information along with their private health records are out in the world and can potentially be used for anything from impersonation to blackmail. Although it’s fair to note that, with so many data breaches occurring, criminals have quite a lot of data to work with already.
On a national level, while the healthcare industry has certainly been targeted before, it means that an industry-wide attack has likely been conducted against the United States of America, and it has gone under the radar as “yet another data breach.” It seems that with so many cyber attacks happening daily, and the damage being digital, it’s often easy to miss the obvious.
We need to take stock of three facts: Intelligence is complex in the cyber realm and needs to be conducted carefully. One can never be sure with online claims, even on this magnitude. If this breach indeed proves true, over 10 million Americans’ health records are now effectively public record. The United States is under attack and needs to acknowledge it.
It is easy to miss a strategic attack when it is surrounded daily by millions of other similar incidents. People talk about the possibility that we will see a cyber 9/11, or a digital Pearl Harbor. This incident may not look as dramatic, but it warrants our full attention.
Laura Ferguson is a Senior Analyst at Cymmetria.
Shayell Aaron is a Senior Analyst at Cymmetria.