It’s the latest indication that state-sponsored hackers from countries like North Korea and Iran are willing to deploy ransomware against the health sector — a tactic more often associated with non-state cybercriminals.
The fall of 2020 saw a wave of ransomware attacks on US hospitals from Russian-speaking cybercriminals, including one apparent ransomware incident in October 2020 that forced the University of Vermont to delay chemotherapy appointments.
In their advisory Wednesday, the US agencies on Wednesday did not name the organizations victimized by the alleged North Korean hackers.
The Health Information Sharing and Analysis Center, a cyber threat sharing group for big health care providers worldwide, did not identify any of its members as victims, said Errol Weiss, the group’s chief security officer.
“I would imagine the victims were smaller organizations and not prepared to handle a ransomware attack,” Weiss told CNN.
Silas Cutler, a cybersecurity specialist who analyzed the ransomware and contributed to the federal advisory, said the malicious code is “manually” operated, meaning the attackers can choose which computer files to encrypt.
“A key open question for us has been: How does the attacker deliver ransom notes to impacted parties?” Cutler, principal reverse engineer at cybersecurity firm Stairwell, told CNN. The federal advisory will hopefully flush out more information from victims and give cybersecurity experts a clearer picture of the hackers’ operations, Cutler said.
“Among its peers, North Korea is unique in their deep, active involvement in cybercrime,” said John Hultquist, vice president of intelligence analysis at cybersecurity firm Mandiant. “Unlike other countries who may contract and bargain with domestic criminals, the North Korean state carries out cybercrime directly, against targets all over the globe.”