Three and a half years ago, the Springhill Medical Center in Mobile, Alabama, became the target of Russian-based cybercriminals known as the Ryuk gang and Wizard Spider. The hackers locked up all the hospital's computers, medical records and equipment when Springhill refused to pay a ransom.
It’s one example out of hundreds in the past three years of cyber hackers attacking unsuspecting hospitals and medical centers knowing that if those hospitals’ systems are down, lives can be lost.
"These criminal groups have been deploying ransomware against these hospitals, trying to lock up data, in some cases locking up medical devices in order to cause life-threatening conditions that then would, in their view, get these organizations to be much more likely to pay a quick ransom and have them make a buck," Dmitri Alperovitch, founder of Silverado Policy Accelerator explains.
"It's been really an epidemic over the last three years with a range of both rural hospitals, small organizations and major hospital networks being attacked on a continuous basis by these groups and, in some cases, having to pay hundreds of thousands of dollars in ransom."
LAWMAKERS CONCERNED ABOUT CHINESE DRONES IN RESTRICTED SPACES AROUND CAPITOL
Now, the nation’s top cyber defenders plan to make protecting hospitals and schools their priority in the new year.
"We call these entities target rich, cyber poor," CISA Director Jen Easterly explained in an exclusive interview.
CISA, the Cybersecurity and Infrastructure Security Agency established to protect U.S. election infrastructure, is now focusing on protecting the nation’s water, electric grid and infrastructure. Easterly is a former Army intelligence officer who helped establish U.S. Cyber Command at the NSA. Before that, she hunted terrorists using cyber tools in Iraq and Afghanistan.
"We have seen massive attacks on K-12 schools and hospitals and in all manner of small businesses, which are really the engine of the U.S. economy," Easterly explained. "What we want to do is to make sure that these entities, which don't have a lot of resources, have the tools, the resources, the capabilities and the information to be able to protect themselves."
In the past three years, cyberattacks on hospitals have surged, threatening patients’ information and access to care and even resulting in some deaths. The average cyberattack on health care systems has led to 19 days of patients unable to receive some form of care, according to data from the CyberPeace Institute.
The CyberPeace Institute has documented 272 cyberattacks against the U.S. health care sector, averaging 2.3 per week over a two-year period starting in mid-2020.
BY THE NUMBERS: CYBERATTACKS ON U.S. HEALTH CARE SYSTEMS, JUNE 2020 TO SEPTEMBER 2020
68 medical specialists
26 care providers
21 mental health and substance abuse facilities
2 ambulance services
8 laboratories and diagnostic centers
14 medical manufacturers
1 national health system
16 medical manufacturing & development
CISA recently signed a memorandum of cooperation with Ukraine, whose cyber defenders have been fending off Russian attacks on their critical infrastructure for nearly a decade.
"The Russians have been using the Ukrainians as their cyber sandbox for ten years," Easterly said. "And so they've gotten really good. And I think that's a lesson that we need to learn as Americans. We're going to help them with capacity building around things like industrial control systems. I think there's a ton we can learn from the Ukrainians because they have done a tremendous job and showed incredible resilience in their infrastructure."
The Russians began launching cyberattacks in Ukraine in 2014.
"They were honing their skills and, at the same time, Ukraine was honing their defensive skills. And so it gave them practice and understanding how the Russians operate," Easterly explained.
LINDSEY GRAHAM CALLS ON BIDEN TO SUPPLY 'HEAVY MODERN TANKS' TO UKRAINE FOR WAR AGAINST RUSSIA
Shortly after Russian troops invaded Ukraine Feb 24, 2020, Russia carried out a cyberattack on Ukrainian communications by targeting ViaSat, the American communications company that was providing satellite modems the Ukrainians were using.
Ukraine turned to Elon Musk, who provided Starlink terminals that gave Ukraine an ability to keep communicating. More recently, the attacks have been called "wiper attacks," malicious code that just attempts to wipe data on a machine, according to cyber expert Alperovitch.
"I think, in many ways, because of the high tempo operations that the Russians have been attempting to execute in Ukraine, they've not been able to sort of stop and plan something out that's much more complicated and that would take months to plan because they're probably getting a lot of internal pressure to just get things out and achieve some sort of effects," Alperovitch said.
"But in prior years, for example, in 2015 and 2016, they've executed very complex operations against the Ukrainian electric grid, turning off power to hundreds of thousands of homes for a few hours purely through cyber operations. So, in many ways, they've been able to do these types of experimentations using Ukrainian networks effectively as a testing platform."
Then there was the famous Russian NotPetya attack that began in 2017, targeting Ukraine and spreading around the world to become the most destructive cyberattack in history, according to the White House.
"NotPetya was a fake ransomware. It masqueraded as a ransomware that would attempt to lock up your data and then ask for ransom to unlock it," Alperovitch explained. "But, of course, there would be no way to actually unlock the data.
"It would permanently destroy it, and it leveraged what's known as a supply chain vulnerability because, instead of breaking into numerous companies, one by one, the Russians achieved scale by breaking initially into one company that was providing tax filing software for Ukrainian businesses to do electronic tax filings."
Through a malicious update in that software, they were able to infect numerous companies. Many of the companies in Ukraine also had Western affiliates and contractors. The virus spread quickly beyond Ukraine’s borders, inflicting billions of dollars in damage.
"So many had to rebuild their networks from scratch. A company like Maersk, for example, a global shipping behemoth, their networks were completely down. So, it had to go back to pen and paper to track their ships and their shipments, causing enormous complications and massive damage," Alperovitch explained.
"You had other major manufacturers like Merck and others that were impacted as well as a result of this attack. So, they had to find backups and restore their data because it was basically at that point irreversibly destroyed."
The Russian government paid no price for that attack.