This is not what we need in these final chapters of 2020 with COVID cases spiking.
> Charles Carmakal, senior vice president for Mandiant, told Reuters that UNC1878 is one of most brazen, heartless, and disruptive threat actors he’s observed over the course of his career.
This is what terrorism looks like in 2020. Horrifying, terrifying, disgusting.
There have been ransomware attacks that are covers for outright attacks, iirc some where the payment and decryption mechanism didn't even function.
On a more theoretical level, it's certainly possible to do both at the same time, two birds with one stone. But it seems a lot of the big gangs are suspected state-sponsored, which is less terrorism and more cyber warfare
NotPetya is a good example. Looked like a broad ransomware attack very similar to the earlier Petya attack. Turned out it was very likely a broad cover for a very narrow attack against Ukraine’s power grid during Russian invasion.
Say what you will about Russia, but I don't believe they'd attack hospitals dealing with COVID in the middle of the pandemic as a cover for some kind of attack.
I know anti-Russia propaganda is at its height now and I even admit it's weird watching how worked up Americans get about stuff they're been doing all around the world since WWII, but as bad as Russia might be, I don't really buy they're behind it.
> Say what you will about Russia, but I don't believe they'd attack hospitals dealing with COVID in the middle of the pandemic as a cover for some kind of attack.
I wouldn't characterize it as an attack, its closer to "preparing an attack". And why not - the former President of the United States outright said on TV that the US had placed dormant implants deep inside key Russian infrastructure without pulling the trigger as a preparations/part of countermeasures for electoral meddling in 2016. The decision to pull the trigger was left as an option for his successor. I do not doubt the Russians may be getting similar "insurance" against a possible unfriendly posture from Washington starting January 2021.
I wasn’t commenting necessarily on this attack. Just saying the claim that ransomware attacks are purely financial is demonstrably untrue in at least one case.
And plenty just want to get paid - it's actually pretty impressive how many take down / don't share if they are paid or actually come through with the decryption keys.
Hard to see how they are terrorists? What are they pushing to accomplish with their terror campaign.
Anyways, my health care system constantly assures me security is its "top" priority and "state of the art".
Not saying that it's the case with most (or even any) ransomware, but it's very common for terrorist organisations/liberation movements/violent non-state actors fund their activities through organised crime. ETA used to rob banks, the Contras trafficked cocaine, the RIRA smuggles cigarettes and launders agricultural fuel, the remnants of the Islamic State have turned to illegal forestry, etc. etc.
I'm not saying all ransom ware attacks are terrorists, just that ransomware attacks are not always profit-motivated, some are covers for larger attacks, some are just disruption operations, and either one of those can be considered terrorism, or cyber warfare. (I am not the user who originally said this was terrorism)
If it's a fake ransomware then yeah that's probably terrorism. If it's fake it's obviously not done for profit. I'm referring to actual ransomware that works, that's done for profit.
> On a more theoretical level, it's certainly possible to do both at the same time, two birds with one stone.
I'm not sure how well that would work. Ransomware generally has responsive and helpful support people, because without that it will be hard to convince victims to pay. If they spend their time instilling fear instead of confidence in the payment process, then no one will pay.
> I'm referring to actual ransomware that works, that's done for profit.
From what I have recently learned, this may no longer be accurate. The latest Risky Business happens to touch upon the subject.
Criminal groups in Russia have financial arrangements with the central government, and may occasionally do some freelancing for them. Now China is getting on the same boat, but apparently with less entrepreneurial approach to target selection.
If they are the only ones, I would be very much surprised. The net result is that ideological and for-profit motives will be harder to distinguish, as the same crew may well be doing different campaigns for different reasons at any given time.
>If they are the only ones, I would be very much surprised. The net result is that ideological and for-profit motives will be harder to distinguish, as the same crew may well be doing different campaigns for different reasons at any given time.
Sure, some of the campaigns might be ransomware, some might be terrorism. I don't see how this disagrees with what I said.
The goal of terrorism is always political. Fear is the tool used by terrorism to reach the goal. Fear is a defining feature, but just means to an end.
As others have noted: while this instance is unlikely to be terrorism, this is a tool that is useful in terrorism and has been used as such in the past.
> The use of violence or of the threat of violence in the pursuit of political, religious, ideological or social objectives
One could argue these are all political. In the end, you can deduce anything to being political.
Or this definition by Alex P. Schmid from 1988:
> "Terrorism is an anxiety-inspiring method of repeated violent action, employed by (semi-)clandestine individual, group, or state actors, for idiosyncratic, criminal, or political reasons, whereby—in contrast to assassination—the direct targets of violence are not the main targets. The immediate human victims of violence are generally chosen randomly (targets of opportunity) or selectively (representative or symbolic targets) from a target population, and serve as message generators. Threat- and violence-based communication processes between terrorist (organization), (imperiled) victims, and main targets are used to manipulate the main target (audience(s), turning it into a target of terror, a target of demands, or a target of attention, depending on whether intimidation, coercion, or propaganda is primarily sought".
Source and more scholar definitions see [2].
For in-depth criteria I can recommend Alex P. Schmid's "Revised Academic Consensus Definition of Terrorism" from 2011 [3] as it is what scholars at Leiden University use.
Regarding the criterium is it always political, see #9:
> 9. While showing similarities with methods employed by organized crime as well as those found in war crimes, terrorist violence is predominantly political – usually in its motivation but nearly always in its societal repercussions;
(Its too large to quote all 12 criteria; again, please see [3] (no HTTPS))
Sometimes, the goal of ransomware is political, but its disguised as if goal is financial. This provides cover for e.g. a state actor.
I take issue with the first two: "idiosyncratic, criminal, or political reasons." Only political reasons is legitimately terrorism. Terrorism and provoking mere "terror" are not the same thing.
> the unlawful use of violence and intimidation, especially against civilians, in the pursuit of political aims.
From Oxford dictionary. Terrorism absolute includes the political struggle. The point is that terrorism uses violence and intimidation to further its goals and that it has no legal base for it.
Terrorist, too; it's a cheap and easy way to apparently get around those pesky human rights. Only caveat is that you can't use it against white people because those are on our side.
You can use it against white people. You just have to dig though their social media until you find at least one of them saying something that can be construed as racist. Then the "domestic terrorist" label applies to the whole group.
On the other hand, I believe that the word terrorism and the characterization of acts as terrorists should not be taken too lightly as it can lead to misuse of power rather quickly.
I wouldn't want to use the word lightly either, but if Russia is trying to destabilize our economy, for their own political gain, and they inadvertently threaten or kill many people in the process (by shutting down hospital information systems)... that is the textbook definition of terrorism.
Oh good, were all part of rogue terrorist nations then. Shall we talk about Vietnam or Korea? Or how about the use of "Strategic Bombing" in WWII, which was specifically designed to crumble cities by terrifying their citizens into leaving. That's not even to mention the use of nuclear weapons, which under this definition would probably make the US the worst terrorist organization in the world.
Perhaps an even closer corollary would be our embargo of Cuba, which effectively cut them off from having viable trading routes. We did it to destabilize their economy, so they would get rid of Communism because we don't like Communists. How many people have died of starvation because we're artificially dampening their economy?
Fear of losing money if you pay the ransom or if you don't pay the ransom? They certainly don't want to make you fear paying the ransom, because that would mean you won't pay and they wouldn't profit.
Fear of losing money if you don't pay the ransom: yes. But this could sort of apply to many salespeople, marketers, negotiators. They want to make it sound very good to take the deal and very bad (yes, maybe scary) to not take the deal.
The way the fear is targeted between ransomware and terrorism is also quite different. Terrorism wants the general public to be scared. Ransomware doesn't want the general public to be scared, because that would lead to people patching their systems, reducing future profit opportunities.
Sure, but the attacks done for revenue reasons would be classified as profit-motivated rather than terrorism. The attacks done for fear would be classified as terrorism. Ransomware attacks are known for having responsive and helpful support people, because they want a reputation for promptly decrypting the data when the payment is given.
We can easily reconcile the two by recognizing that profit doesn't have to be money and that terrorists definitely profit from fear (otherwise they wouldn't do it). Everything we do is for profit, even if that profit isn't measured exclusively in dollars.
We can further reconcile them by saying that the entire mechanism for extracting money from the ransom victim is by making them afraid. In this case, afraid of losing their computer systems.
I'm not following. Are they asking for ransom or not? If yes, then they are getting actual monetary profit, we don't need to think about "profit [that] isn't measured exclusively in dollars". If no, then it's not ransomware.
>We can further reconcile them by saying that the entire mechanism for extracting money from the ransom victim is by making them afraid. In this case, afraid of losing their computer systems.
You might be partially right. But I see it more of them trying to convince you to take a deal. They're trying to sell you something: your data. They want you to have as little fear as possible that you can get your data back. They want you to be 100% confident in the payment process. Yes there's fear of what would happen if you don't pay. But that's a path they want you to avoid. You could almost categorize any negotiation this way. The person you're negotiating with will try to convince you how good it is to take the deal and how bad it is to not take the deal.
The other difference between this and regular terrorism is that regular terrorism wants the general population to be scared. In ransomware, they have no goal at all of making the general population scared. In fact making the general population scared would be counterproductive, because it could lead to people patching their computers making future profits harder.
The hospital chain I work for was hit with ransomware last month. Door locks, time clocks, and photocopy machines still worked, but all computers were down. We use paper records, but it was frustrating and inconvenient. We're not allowed to pay due to laws. Corporate started slowly building us a brand new, but terrible, network 5 weeks after the old one went down. Definitely caused a little staff burnout, but not more than corporate's relentless attempts to extract additional profit from us at the expense of our patients and our wellbeing.
If they treat you like an ATM machine, you treat them as such. 40 hr weeks, go home, and DGAF.
Patients dieing because people don't work 80hr weeks? Why are you working for such a shit management team? That's management's problem. Don't like it? Quit. Really don't like it? Name and shame.
It's unfortunate we live in a day and age that kind of thinking is necissary but it is. Burnout in the middle of a pandemic can get you killed.
We had our computers go down for ~12 hours one day. Paper charts came out, which was a massive undertaking. I could not imagine my system being down for 5 weeks.
Wasn't there a ransomware case in Germany recently where when they advised the hackers that they'd hit a hospital, the hackers immediately turned over the unlock keys, without a ransom?
Not that that is any way a defense, and I'm sure there was as much a self-interested motivation of "We are going to be hit hard if we ransom a hospital _now_" as much as "doing the right thing"...
Self-interest; a financial crime is nowhere as high on the priority list as one causing injury and death. It crosses the line from fairly petty crime to getting an international warrant on your ass.
Exactly. That provincial government in <insert stereotypical corrupt country> who you're paying off may well turn your ass over if you kill people because protecting your industry is their cash cow and they don't wanna lose that because someone killed people.
At a certain point a “hack” becomes an “attack” and the response moves from “police action” to “military response” and I’m guessing that only state actor or sponsored groups are willing to cross that line.
> Not that that is any way a defense, and I'm sure there was as much a self-interested motivation of "We are going to be hit hard if we ransom a hospital _now_" as much as "doing the right thing"...
One involves the violent deaths of hundreds or thousands of innocent civilians.
The other involves financial loss and probably a temporary shut-down of one or more hospitals.
Frankly, a cyberattack is the kind of thing a hospital can and should be hardened against. This is an administrative and regulatory failure being dressed up as "terrorism."
Criminals that use ransomware should be prosecuted and sent to prison, not disappeared to Guantanamo Bay and tortured.
While I agree hospitals should have protocols to handle these situations, it's just not that straight forward. These IT systems are big and complex, and not standardized.
I worked on critical systems in the energy sector and while we were buried in federal compliance paperwork, the systems and software were always a target that was evolving and hard to keep up with. The energy management system was a huge bureaucratic battle between IT and engineering and there were compromises made (that I didn't always agree with) for the sake of support and maintainability within the IT tech landscape. For compliance reasons, and because the system is "offline", upgrades and patches were really challenging and honestly kind of terrifying. The risk of taking something down and impacting grid operations was harrowing. It really made our small team reticent to touch anything. I don't envy these hospitals, it's a really tough battle to ensure your systems are always up to date, locked down, and operational.
Also, a hospital going down is not a small problem. My wife is an ICU doctor for a large hospital and her patients' are sometimes hanging on by a thread. If they lost their EHR and patient history, I imagine that would present a really scary challenge. It's not just financial.
Come on. Blowing up a hospital is a crime, and arguably terrorism. Disabling the hospital and systematically preventing it from treating patients is a lesser thing. But still arguably terrorism if done intentionally.
And yes, it matters if an enemy or friend does it. That's so obvious to not merit discussion.
Is this just pedantry? I'm making room for an interpretation, that's all. Hospitals are a special case. No reason to read any attitude into it. And no reason for a deliberately argumentative response.
Do you actually think that this comment adds to the conversation at hand or are you just using this as an opportunity to wedge in the 'but America does it too!' trope?
I think it's an interesting comment and see no reason America deserves some special shield from criticism, trope or not. It should be responded to on its own merit, just like anyone sharing any other opinion on HN.
It seems pretty irrelavent to me. Nobody was talking about specific state actors, claiming that X is evil while America is a saint, etc. The comment feels like a response to an argument that nobody made.
It's not interesting. Every major thread on HN has at least one comment trying to force the America Bad angle into the conservation regardless of whether the discussion is about the US.
If the primary conversation - derived from the linked article - is about the US and about a topic having to do with something negative about the US, then it's both interesting (as the root source) and makes reasonable sense that it should be in the thread.
Otherwise it's nothing more than a political agenda - someone being triggered and unable to control theirself - being force-wedged into a conversation where it doesn't belong and it degrades the quality of HN dramatically. As it would if the same treatment were applied to any other nation.
Imagine if every large thread had someone trying to force comments about all the bad things France or Britain have done. Every single major thread. Now apply it to dozens of nations. Of course that wouldn't be allowed because it would be insane. It's insane to allow it for the US just the same.
It's not interesting to you. Not every comment needs to be interesting to everyone.
> Every major thread on HN has at least one comment trying to force the America Bad angle into the conservation
This is an extreme exaggeration. Plenty of large threads don't discuss this. I'd wager the vast majority.
> If the primary conversation - derived from the linked article - is about the US and about a topic having to do with something negative about the US…
There are plenty of sub-conversations on every thread that aren't explicitly about the main topic. On this post alone, there are comments about the definition of terrorism, bitcoin, health insurance laws, American military action, etc. It seems like you're singling out "criticism of America" as the only taboo topic for no real reason.
> Imagine if every large thread had someone trying to force comments about all the bad things France or Britain have done.
Nobody is "forcing" comments. People are leaving comments. About all sorts of opinions, including those criticizing other countries. And absolutely none of this happens on "every large thread".
> someone being triggered and unable to control theirself
Didn't sound like the commenter was triggered at all.
Takes a goofy definition of terrorism to get Bay of Pigs to fit.
A military attempt to overthrow a violent leader of another country doesn’t really land in the same category of shutting down hospitals and killing sick people with no political power.
Using violence to attempt to cause a regime change without formally declaring war, sounds much more like the traditional definition of terrorism to me [although maybe not the perfect fit], then randsomware which sounds like organized crime to me.
> Using violence to attempt to cause a regime change without formally declaring war, sounds much more like the traditional definition of terrorism
Or insurrection.
Unless we're talking about some fourth-world wish-we-had-even-bananas republic, there will be geopolitics in play. The rebelling groups are almost certainly being funded, either directly or indirectly, by foreign governments.
Those rebels, are they terrorists or freedom fighters? Are the foreign governments funding terrorism or supporting unnecessarily violent grass-roots opposition? Where does political meddling end and waging a covert war begin?
Sorry, to be clear. The definition of terrorism that most people are used to is the one that involves attacking people not anywhere in the government leadership hierarchy. For example, blowing up a commuter bus serves no purpose to take over a regime (unless the president was on that bus). The end goal is purely to cause fear.
Trying to quickly or quietly overthrow a government is pretty much the opposite of that effect. You want a quick change and the end goal is power, not fear for the sake of fear.
Governments can fall if the people feel they aren't protected, although in practise that rarely happens. Groups like the FLQ, IRA, etc may have bombed civilian targets that really didn't have to do with the government, but they were still clearly aiming at political change.
Which groups do you think is fear for the sake of fear? Lots of groups are characterized that way for propaganda purposes, and deep down inside there are probably more than a few that just want the world to burn, but im not sure any exist that literally claim to just want to cause fear without tying it to some broader political goals.
> Trying to quickly or quietly overthrow a government is pretty much the opposite of that effect
I agree generally that quiet coups aren't generally in the terrorism category, but i still think they have much more in common with terrorism than (apolitical) ransomware does.
Bringing a country to its knees by weakening morale and trust in government is textbook regime change. Ransoming hospitals is fairly depraved, but if you could overthrow an enemy superpower without launching any missiles, would you do it?
You gotta wait for it to be declassified. Syria was likely CIA funded. Same with Libya. Just wait a bit. It all comes out after everyone's stopped caring.
Are you speaking about Syria and Libya today that was a result of the Arab Spring in multiple Arab countries, which took everyone including CIA by surprise? Do you really believe the CIA is capable of something on that scale?
Syria is just as complicated if not more so. It turned into a proxy war between the US and Russia and don't forget ISIS and the many different factions who have received funding from multiple sources.
How many people have been killed in the US this year causing and because of the protests at the hands of government and extremists? I don't think we'll be getting a NATO bombing anytime soon. I also can't picture that happening in Nigeria.
If it took the CIA by surprise, why were Syria and Libya on the short list of countries that General Wesley Clark identified as regime change targets in 2007, three years before the Arab Spring?
Because that's a wish list vs. a "we assume this will happen/are actively working on it list"? I'm pretty sure the CIA also shortlisted every Eastern Bloc state in the 80s for regime change. Doesn't mean the SU fell because of the CIA.
It also acted as a starting gun for every other country on earth to create and/or massively expand their cyber warfare capabilities. Sparking a new arms race for the 21st century, normalizing acts of (cyber) aggression against foreign infrastructure during peacetime.
Assuming the conventional wisdom about the event is accurate:
A state military attacking a perceived threat to the national security of that state (while at the same time doing its damndest to make sure nobody knew about it) is pretty clearly outside the definition of terrorism. It fits squarely into espionage / warfare.
None of the terrorism boxes get ticked. It wasn't a splashy, overt thing meant to instill fear. It wasn't carried out against emotionally-charged targets attempting to incite, nobody claimed credit, etc.
Everything adverse that happens is not terrorism. The term has kinda worn itself out, which is bad, because that word invokes a whole bunch of executive power shifts.
Well, a lot of the turmoil in the Middle East is at least partially (I'd argue mostly) to blame because of the US.
Al Qaeda was trained by the CIA. I think it's relatively accepted that there were no WMDs in Iraq, so that entire invasion/war could be classified as terrorism. There are countless drone strikes with civilian casualties around the world. Whether or not you agree with why we did it, the CIA is credited with Stuxnet (it's terrorism even if you think this is one of the "good" ones).
There are certainly more, but let's not pretend like the US isn't intimately involved in directly inserting itself into international affairs illegitimately.
You should read your links and learn the differences between middle eastern extremists groups. The mujahideen are not Al Qaeda. Most people say the Taliban are trained by the CIA. But even that’s not technically correct. Taliban are also not Al Qaeda.
"Haqqani - one of bin Laden's closest associates in the 1980s - received direct cash payments from CIA agents, without the mediation of the ISI.
"This independent source of funding gave Haqqani disproportionate influence over the mujahideen."
"Haqqani and his network played an important role in the formation and growth of al Qaeda, with Jalalhuddin Haqqani allowing bin Laden to train mujahideen volunteers in Haqqani territory and build extensive infrastructure there."
From a more extensive page linked from there:
"Sheik Omar Abdel Rahman, an associate of Bin Laden's, was given visas to enter the US on four occasions by the CIA [...] Rahman was a co-plotter of the 1993 World Trade Center bombing."
"Afghan Arabs 'benefited indirectly from the CIA's funding, through the ISI and resistance organizations [...] at an estimated cost of $800 million in the years up to and including 1988'"
"The Guardian alleges that the CIA helped Osama bin Laden build an underground camp at Khost, which bin Laden used to train Mujahideen soldiers."
In a 2004 article entitled "Al-Qaeda's origins and links", the BBC wrote:
"During the anti-Soviet war Bin Laden and his fighters received American and Saudi funding. Some analysts believe Bin Laden himself had security training from the CIA."
"Two-time Prime Minister of Pakistan Benazir Bhutto said Osama bin Laden was initially pro-American [and] Robin Cook, Foreign Secretary in the UK from 1997–2001, wrote, 'Throughout the '80s [Bin Laden] was armed by the CIA and funded by the Saudis'.
And what do the Saudis have to say about it?
Prince Bandar bin Sultan of Saudi Arabia stated (in the wake of 9/11):
"He [Osama bin Laden] came to thank me for my efforts to bring the Americans, our friends, to help us against the atheists, he said the communists. Isn't it ironic?"
A war that was started on incorrect pretenses is not the same thing as terrorism. Among other things, the US did not deliberately target the Iraqi civilian population, and made their best efforts to avoid civilians being harmed. The US provided substantial reconstruction aid to Iraq to help undo the damage of the war afterward - more than $60 billion.
However, it's hard to avoid there being some undesired casualties in war, especially when the the fighters on the opposing side are using guerilla tactics and hiding within the civilian population, such as deliberately fighting, sniping, or using mortars from within what are otherwise civilian compounds, or even mosques, forcing the US to either ignore the attacks (unacceptable) or respond and attack mosques and civilian compounds.
All of our soldiers are unformed, with a flag, and follow rules of engagement that involve not attacking anyone except positively identified targets (i.e. observed holding weapons). Terrorist groups operating in the middle east wear no uniform and exploit our rules of engagement by attacking, dropping their weapons before the coalition can respond, then pretending to be civilians. Even though they're the only men-of-age in an area from which an attack just took place, since they stashed their weapons somewhere, the rules of engagement mean that our troops can't do much if they didn't observe a person holding a weapon.
Uniformed soldiers fighting other uniformed soldiers is different than terrorists that attack civilians or soldiers and then hide, pretending to be civilians.
The Iraq war was started on pretenses that we now know are false, but let's not conflate that with groups that deliberately target civilians (with suicide bombs in shopping centers), or conduct attacks even on military facilities and then pretend to be civilians when pursued for a counter-attack.
> Among other things, the US did not deliberately target the Iraqi civilian population, and made their best efforts to avoid civilians being harmed.
Maybe for the second Iraq war, but for the first one that's bullshit – before the first Iraq war, Iraq was the richest third world country. The US bombed it back to the stone age, using more bombs than were dropped on Germany during WW2, hitting civilian infrastructure like water treatment plants, which then resulted in the following years in hundreds of thousands of dead children.
Cyber attacks are probably the least interesting enterprise that North Korea is involved in [1]
They're also involved quite heavily in the illegal drug trade and bootlegging cigarettes and alcohol, using their embassies and diplomats as a distribution network, as well as counterfeiting currency and pharmaceuticals, running an international restaurant chain [2], building statues for tinpot dictators [3], shipping citizens off to Russia as "contract workers", smuggling ivory, trafficking arms, and previously leased out embassy buildings in Berlin to a hostel [4]
The expression "state sponsored terrorism" is vague and subject to a lot of biases. For what it's worth, most state-sanctioned cyberattacks are _not_ profit oriented. They rather aim to disrupt the operations of an organization (see: American cyberattacks against ISIL), establish deterrence (see: the US allegedly planting digital "bombs" in Russia's networks), collect intelligence (see: the OPM hack). The exception being North Korea, a state that conducts cyberattacks for the explicit purpose of making money.
I wonder at what threshold asymmetric responses get put into play, with these actors clearly focused on basic terrorism.
At what point is a ‘kinetic response’ to a cyberattack warranted ?
Terrorism is almost, but probably not exactly the right word, but it's 'of that level of concern'.
If Hospitals nation-wide are under attack, it's a massive national security issue.
We need to figure out some kind of new way to secure general purpose devices - and also - there needs to be much more investment in thwarting and retaliating against these people.
If some random hackers and do this - imagine how badly and quickly a foreign state actor with deep pockets could shut things down.
Does anyone else feel that any organization that isn't doing regular secure backups with a way to restore that data deserves for this to happen? It like an airplane running out of gas because the pilot forgot to fill up the tank. Its kind of step one of working with computers.
You certainly express an unpopular opinion, and at first glance you are right: secure backups should be a priority for any IT organization.
However, not all backups are continuous and pervasive. There are often backup windows, gaps, and processes that halt with no one noticing. Ryuk also actively disables and deletes backups to maximize impact, while also seeking out mount points that might be backup targets - and encrypts those as well.
Of course, we're also talking about hospitals here. Even a well-managed system with hourly differential backups leaves plenty of time for radiology data to be lost in the critical hour before life saving surgery.
More realistically though, how long would it take you to discover and remove a sophisticated penetration, then restore every device, ensure none of the restores are also infected by the malware that had probably been there for a while, and bring a hospital system with thousands of impacted systems back online? 72 hours? A week? A month?
What happens to the patients? Admissions to the emergency room? What if adjacent hospitals are also hit, or are already impacted by the COVID spike and have no open beds?
People literally die due to hospital ransomware attacks. No one deserves that.
Ransomware is akin to kidnapping, it's just the data and customers that are held hostage, not kids or loved ones. Always blame the criminal, never the victim.
There is an expectation that information and services are to be secured with a certain level of care and standards. I don't see how that applies to people.
> Always blame the criminal, never the victim
This argument excludes the concept of negligence. If the victim was grossly negligent then they are also to blame.
There are a lot of systems in a hospital. Maybe 3000 different systems, made by different suppliers, some long gone.
In good countries, we maintain important records and have roll back capabilities on most of the things we control ourselves. But that doesn’t necessarily include the MRI machines windows XP that is maintained by some third party supplier that operates through another 3rd party seller, and that’s just one of the 3000 things that can go wrong.
Then there is the parts where attacks will affect you, even if they don’t do any damage that can’t be reversed. Typically global internet access gets shut down during an attack, but that makes transfers harder. It also makes acute arrivals harder, because the ambulance helicopter might not be in range of your “internal internet” and thus may not be capable of feeding you important live data.
Some attacks target the network itself, and while you’ll generally have a good set of people running that, they aren’t always a match for nation state backed hacking tools.
So there is just a billion things that can go wrong, even if you have the best of the best working on it, and in many countries, there is a good chance that’s not even the case. I can count myself lucky to work in a country where we take digitisation very serious in the public sector, and I can easily see why things could go wrong.
It's easy to say "well they should've filled the tank" when you're comfortably sitting on the ground, but it's little consolation for the people 30,000 feet in the air, or for the patients in hospital waiting for time critical, life saving treatment.
Most of current best practices for backups, redundancy and business continuity are intended for the risks of random disasters. Malicious attacks are substantially different.
There are many organizations which are doing regular secure backups, but are doing so in a way that can be sabotaged once a skilled attacker gains domain admin privileges, and sabotaging backups is one of key things that the attackers are doing after they are in the network and before triggering the ransom encryption. We're not talking about a virus randomly spreading, in such high-ransom targeted attacks the preparation before triggering a ransom is done manually by skilled teams going on from one target to another.
Yes there probably is some blame on the hospitals for not securing things well, but there is a huge difference between preventing something from failing, and preventing something from being actively sabotaged.
If a hospital had random power cables everywhere and someone tripped over one and unplugged an important device, that would be far far more on the side of the hospitals fault than an attack on the computer systems.
Interesting that DHS's public twitter has no word of this, and instead is a full-time campaign ad for the border fence.
It's also ironic that for all the pervasive government surveillance of the internet, this stuff just flies right under the radar. I thought the whole point of this surveillance was for our protection?
The regulatory environment in the Heath Care industry is based on the premise that any change risks patient safety. Changing a single line of CSS literally takes 6 months to test, validate, document and get approval for, so everyone's afraid to change a thing. You can't automate anything because the current process survived 7 audits and regulatory is afraid changing it might raise an alarm. You'd be stunned at the number of hospitals still running Windows XP. Most systems use a plain text messaging protocol designed in the 80's -- no encryption or authentication anywhere to be seen, and half of them write messages to disk because "it's safer".
If ever there was an example of well intentioned regulation gone horribly wrong this is it. The whole industry is a cyber security nightmare waiting to happen.
A lot of medical stuff seems to suffer from this problem of caution paralyzing the behavior of professionals, not just in IT.
That being said, most commercial software seems to be way worse. There was the article the other month of a windows 10 machine automatically updating while a patient was being operated on forcing them to be kept under for an extra few hours.
In my opinion, "patient risk" is often used as an excuse by vendors (and some hospitals) to slow walk patching and testing. I can understand the motivation, it saves them money and they can wait until there's more patches to test and do them all at once.
I think the obvious solution would be to invest in a new open-source end-to-end infrastructure that could be thoroughly audited then implemented by hospitals everywhere.
Of course, that would need a sizeable investment of both money and time, but it would almost definitely be more efficient than updating one component at a time.
My armchair analysis of the obvious solution is to airgap all these systems. Perhaps this would require some new infrastructure in hospitals, but it would add a very difficult-to-penetrate layer.
That's one part of it, but the real innovation in remote care is RPM devices (Remote Patient Monitoring). These can be anything from blood-glucose sensors, dialysis machines, blood pressure sensors, etc, that have an internet connection and send data live to a physician or nurse.
The struggle with these devices is that they're often cheap embedded systems that never receive firmware updates, so they do present a security concern. However, they're also immensely useful and have without a doubt saved lives.
Yea so that won't happen.
Hospitals don't audit anything for real. The hospital admin just hires their buddy to rubber stamp junk and gets a kickback.
The actual software and hardware solutions too are based on who gives the best kickbacks to hospital admins and doctors.
Thats it. That's the American healthcare field and why its a complete shitshow.
IT staff is made to deal with decisions they have no say or power in and turnover is quite high.
My hospital offline for a whole week because they got hit by a ransomware attack, and they use Epic. I asked someone I knew at Epic what she knew about it, and confirmed that my hospital was up-to-date on the latest version of their software and following most of their security protocols. My initial thought was they had weak IT security and now I’m not so sure.
Doesn’t matter if their Epic servers are up to date if the attacker got a domain admin account somewhere else and can just log in normally to run the ransomware.
Yup just spearfish one of the employees with a password reset email. People including educated developers and MDs are in general very lax about security. But also you have windows 7 legacy systems running specialized equipment that has been validated for that OS and software version number. There is really no way around this, if a country wants to kill Americans right now IMO it is most effective to disable EPIC servers in ND/SD/WI/MT that would cause way too much chaos and people would die.
But also what are we doing running life-critical software on Microsoft-made OS? This is idiotic, it is great for gaming and excel but not hospitals. Microsoft could make another OS based on Linux or BSD and it could not be hot garbage. But that would eat into profits and take...effort. Linux and ChromeOS + 2FA is much better although not perfect.
Epic is an on-premise dumpster fire, so I'm not surprised. Plus there are many attack vectors besides the EHR. I assume they probably had access to services cut off rather than having patient data held up for ransom.
If there's a zero day, there's not a lot you can do. NHS got hit so bad because they were running very old Windows versions. A lot of embedded systems have no upgrade paths (MRIs running embedded XP should probably not be on the network at all).
Hospitals need full backup machines and with health care costs already through the roof, that will just add more. Even if you have all your order entry machines setup to not make external Internet connections except to update servers, one bad e-mail getting through and you could be in trouble.
You're gonna need your MRIs on the network cuz they transmit the actual PHI via PACS.
No way the operator is copying a 5GB+ dicom file to your record in your EMR manually.
You NEED to have the patient name added via modality worklists to reduce errors (ie. add the pt to the MRI software before the scan, and send the scan to the EMR once it's taken).
The worst thing is, this protocol is old and insecure. They just don't have the IT chops at hospitals to handle this.
Zero days may get the headlines, but attackers are finding a lot of value in leveraging old vulnerabilities. CISA, FBI and NSA have issued several advisories over the last month highlighting an overarching theme of advanced persistent threat groups targeting unpatched vulnerabilities lately.
In general, regulated entities are required to regularly prove that their change-management processes are sufficiently heavy as to make regular patching a non-starter.
Ha! Sorry, my political views are non-binary so I see how you're confused. Allow me to clarify: the regulations in the health care industry are structured poorly and have strong disincentives to even the simplest and most obvious improvements (e.g. updating software to receive security updates). They should not be removed, but they need to be rethought so people in the industry aren't afraid to make changes.
HIPAA contains a security and privacy rule, but its original aim was to spur patient record portability between providers and insurers. That lineage of regulation, which also includes HITECH, ARRA, and provisions tied to Medicare expansion, established the carrots and sticks thought necessary to modernize the health industries records--to get them off paper and into bits. All this modernization eventually happened, but it's hard to say whether the regulation was the primary driver or if these companies would have done it anyway. Having worked in the industry, I lean toward the regulations being the primary driver. Low risk tolerance was already a characteristic of health organizations before HIPAA (and I think patient safety was the main reason). When HIPAA was signed in 1996, most US industries were heavily computerized, but health organizations lagged far behind. Lack of competition where most providers and insurers operated meant there was little commercial incentive for them to spend money to be able to exchange files with organizations in other states. Digitalization just wasn't coming together in health care as rapidly as in other industries, although I didn't work in health at the time so I don't feel like I personally know all the reasons.
It's been a long time since 1996, but most of the IT messes inside health organizations are self-inflicted. HIPAA and friends don't mandate which operating systems you use, specify approved encryption algorithms, or tell you when and how to update your computer systems. These are all choices left to the implementation teams, and they chose to work with vendors who aligned their solutions to information architectures that just don't change very fast. I think if you compared this IT situation to, say, large scale manufacturing in the US you'd find similar problems of outdated platforms supporting expensive and hard-to-change niche software. And it's probably market forces, not government regulation, that's responsible for this similarity.
Likewise, I love FISMA, but I don't think hospitals would cease operations just because their systems couldn't get an ATO. What kind of accountability would motivate them to complete POAMs with any urgency? I don't think there is an effective way to incentivize a proactive approach - financial penalties would simply be indirectly paid for by customers.
As hospitals around the country race to the bottom, I'm not sure where a qualified IT team to manage these systems is going to come from. I don't think hospitals can afford them anymore.
I worked in hospital IT and it was a tough environment: it seemed like we had at least one big system rollout (EMR, radiology, lab, etc.) every year. It was difficult to manage when the hospital was paying a little below median for the area, now they are way below that where I live (western MA).
Really it's the regulatory environment. It treats any change as potentially life threatening. Imagine if you had to prove that none of your changes could possibly risk patient safety to people who think automated tests can't be trusted because they can be written to simply print "PASS" all the time.
If there is one thing I’ve learned from HN commenters, it’s that software engineers are never, ever individually responsible for the ethical or moral consequences of the software they write. It’s one of the most consistently and quickly downvoted topics here. It’s always the company’s fault.
It's such a strange dichotomy. On one hand, software engineers command healthy salaries, have massive power to decide where they work, and are in high demand everywhere. They get perks up the wazoo. On the other hand, when it comes to agency over what they work on, all of a sudden they claim their power is totally gone. "Whelp, if the boss tells me to write malware or cheat at a benchmark, I guess I just have to put my head down and do it! Poor me, nothin' I can do about it. Don't blame me, not my fault, everyone!"
As diabolical as this is, you wouldn't really need state level actions to take down hospitals.
Anyone who has been to one in the last year, pre-covid even, understands the ferris wheel of nurses and doctors that churn through the butter of what goes on there.
These weren't exactly hardened targets to begin with.
If you don't nurture a wound, you'll get an infection. If you don't clean your hands before eating or you eat something foul, you get diarrhea.
The outside world is a dangerous place, and if you wish to interact with it, you should have your defences in order and take necessary precautions. And then still bad actors will get through, such as the yearly flu, so you must deal with that as well.
You won't defeat the outside world with offense, there's just too much out there, adapting too fast.
Health insurance premiums are just total healthcare costs for the insured lives plus x% for operations of the health insurance company. If all hospitals have to raise prices to meet IT costs, then presumably the total cost of healthcare for the insured lives goes up, and hence the health insurance premium has to go up.
So yes, typically if your vendor's suppliers increase price, then your vendor will increase their price too. If your vendor has big margins and you have the ability to switch to a different vendor, then maybe the vendor will eat the cost, but health insurance is already a low margin business, so that's not likely.
By the ACA law health insurance companies have to pay out at least 80% of premiums on claims. The cost of running the company and any profit has to come out of the other 20%. 5% of billions of dollars is huge in absolute figures but as a percentage falls in line with other industries.
Only if the insurance companies form a cartel (in the economic sense). People will switch carriers to ones with lower premiums so the market forces direct costs down to parity.
Most costs are outside of insurer's control anyway, regulations prevent insurance companies from telling providers how to offer care as long as the care is medically necessary and the standard of care.
While it's true that a cartel would be the fastest way to raise prices, I don't think that not having one removes all incentive to try.
I think you're also ignoring healthcare networks. This is important for two reasons.
1. The kind of supply and demand works very well for modeling commodities, but the difference in networks means it's very hard to have two completely equivalent insurance products.
2. Insurance companies can incentivize hospitals to behave in certain ways by regularly pruning those who do not behave that way.
Also, most people get their healthcare from their employer. There's not as much ability to actually switch, unless you're so fed up that you're willing to switch jobs.
If both the insurance and the hospital earns money by raising the price we will get what we have today where insurance covered procedures are more expensive than none covered procedures.
Not if the supply of healthcare was increased (more doctors). Then they would be willing to sell their services for a lower price, and the insurance companies would be able to offer lower premiums, winning business from other insurance companies offering higher premiums.
To fix medical service affordability we need to bring down the cost of the services instead of expecting significantly more efficient insurance plans. We can’t insure away high costs. They just pass through the costs via premium and deductible increases. Even if health insurers were nonprofits that would only directly save us 5%. High deductibles encouraging shopping around but price discovery is very limited as even doctors don’t know how much a service costs. Focusing on price alone is an issue as people don’t know medicine and are unable to evaluate quality so they end up giving five stars for having a private room or suck up staff. What ends up happening is the not well off or frugal avoid care until there’s an undeniable problem. Others consider consuming medical services a dignity not a price and will never give up their low co-pay plans.
The only way to control costs is to increase supply or decrease demand. If they want to lower health care costs, then increase the number of residency spots so there are more doctors...or reduce the requirements to becoming a doctor. Or make it so you don't need to see who went to school until 30 years old to get a simple antibiotic for routine conjunctivitis.
Assuming no competitor exist, which they do for many health insurance situations. There would be plenty of competitors to choose from if everyone was required to choose from healthcare.gov.
incompatible with 'already low margin' - this suggests that there isn't much more any competitor could do to offer lower prices.
besides, i think the issue is the cost of the underlying procedures - doctors charge maximum what the insurance company will pay instead of what the patient would pay. there are plenty of stories where a patient is billed $100 but if they say they don't want it out of insurance the price drops to $40 or whatever.
another elephant in the room is that you can't pick your healthcare provider if you're unconscious. this part of the US system is little more than a scam.
If this attack results in actual loss of life, I firmly believe the US should ensure that there are real-world physical consequences for these criminals. They cannot be described as anything less than the worst humanity has to offer. A failure to respond with meaningful and severe consequences for those responsible (assuming this is attack can be confidently attributed to a particular threat actor) opens the floodgates. Time to find out how seriously the US takes its own cyber doctrine.
Good God no! I get where you're coming from but you've clearly not worked in this field. Heath Care IT is a disaster that was CREATED by regulation written in a different era of computing. The whole industry is terrified of making changes because of the multi-year hoops they're forced to jump through to release them; you don't flog a horse for stopping when you pull on the reins.
The correct solution is to change the flawed thinking in our regulations that treats all changes as equally hazardous to patent safety. The government should be encouraging (the right) changes to be released more quickly -- punishing companies for following the rules won't fix anything.
I think there is fault on both sides. Can’t just punish the ransomware authors.
1) Security in healthcare is a shit show. If there are lots of open exploits, there needs to be a fast way for them to get fixed and the software vendors shamed on.
2) when someone discovers an exploit, they shouldn’t have to fight lawsuits. The response to security flaws should not be suppressing them but fixing them ASAP.
3) people shouldn’t have to lose lives to make a point that security is weak and you better pay up for disregarding it.
If the bad actors are halfway around the globe where they have zero jurisdiction, what can you reasonably expect US law enforcement to do? It's a bit like getting mad at police for not investigating your car getting broken into, because you left the windows cracked open.
9/11 also happened spectacularly in the middle of new york. Does that mean law enforcement tried to do something about Afghanistan? Was it the fault of airports to not do a thorough cavity search of each and every passenger?
Our life is to this day in many small ways runs on a contract that others are not trying to kill us. Security check or not.
Maybe the US should also invest some of their military money to solve the situation of insecure hospital IT. You need defense, you won't win it with offense. There'll always be another bad actor out there.
The problem with this is that other bad players within US can "hack" this attempt to blame a state/group that had nothing to do with this. Has happened in the past.
Of course; it happens all the time. False flags (in the form of routed connections and much more) are extremely common in cyberwar and among cybercriminals, naturally. But can you name a time US law enforcement or military fucked up and fell for a "cyber false flag" [1], and mistakenly took action against the framed party? It may have happened, and I wouldn't be shocked, but I haven't actually seen a publicized case of it.
From having some knowledge of some investigations like these (though not on behalf of any government), the investigators and forensics experts are constantly asking themselves "is this a false flag? is this piece of evidence deliberately planted, or an actual mistake?" Investigators obviously want to get the right people and not get the wrong people. And in the case of nation-states, they also have classified information they can use (like from NSA global spying, etc.).
[1] (I shudder at the term "cyber" as much as anyone else reading this, but that pretty much is the official term the government uses.)
True, that's one key example. I should've clarified that I'm referring to arrests, prosecution, and imprisonment. Also, such hoaxes (and things like bomb threat hoaxes) did still happen before the popularity of the internet; they can be done from a payphone, for example. The internet definitely makes it a lot easier, though.
> But can you name a time US law enforcement or military fucked up and fell for a "cyber false flag" [1], and mistakenly took action against the framed party?
Of course. It absolutely may have happened, and if or when it has, I want those instances known. But if someone were to have been arrested wrongly, or some government blamed wrongly, this would be a huge deal, and I'd expect there to be a lot of public controversy and discussion about it.
Everyone should be subject to due process. If some organized crime ring in Ukraine is blamed for some particular ransomware attack and they get tricked into traveling somewhere that lets them be extradited and tried in a US court, the prosecution still needs to prove beyond a reasonable doubt at trial that they're the responsible party. Things get more complicated when an entire nation-state government is accused of launching ransomware attacks, but so far I think only North Korea has faced that (someone please correct me if I'm wrong), and they're kind of an outlier among all the other countries.
We should always be skeptical any time any government accuses any entity of a crime, of course. There should always be a presumption of innocence. But that's what the legal system and due process are for. The onus is on the government to prove their case.
I envy your optimistic view on this. When I look back at recent wars (including affairs with countries that are "just bombed", without military personnel on the ground), I'm not sure I can see through the same rose colored glasses.
The government alleges something that sounds terrible that would justify an invasion, both parties play along, media is pushing pro war propaganda, allies abroad go along as well. Twenty years later, still no consequences, no apologies from our politicians, and any time someone seriously considers pulling out the troops, mysteriously some dubious war story comes up that is supposed to distract us or justify the war.
I'm just as disgusted by the Iraq war as anyone, 100%. However, I do see the Iraq WMD intelligence failure/lie (depending on what one believes) cited every single time the US government says anything ever, and while in one sense they certainly deserve that skepticism for decades to come, it also happens in cases that aren't really paralleled.
During the Cuban missile crisis, US intelligence showed photographs to the world proving the existence of the missile launch pads. During the Mueller investigation, the FBI provided hundreds of pages of concrete evidence to support their claims, which was supported by all other agencies and all of private industry.
Prior to the Iraq war, US intelligence showed jack shit; they just told the public "take our word for it: Saddam has WMDs".
If there were a future situation where there was an attempt to justify a country invasion or war, I absolutely would demand the highest possible rigor.
However, I don't think that can really be compared to trying to extradite and prosecute some criminals accused of ransoming hospitals and other institutions. They're not accusing any government of being behind these ransomware attacks and I doubt they will be. The only government believed to have ever done something like that is North Korea's, but they're kind of a special circumstance and are already technically and pragmatically at war with much of the world in many ways.
I think it's not really fair to assume a priori that the US government is lying, or that they're telling the truth, when they make some accusation. Things have to be carefully evaluated on a case-by-case basis, and the concrete evidence they provide needs to be looked at impartially. If there's no public evidence besides "trust us", then I'd agree that doubt is the correct action.
Horrifying mindset that led to the disastrous war on terror in the aftermath of 9/11. Our foreign policy should not be based on an animalistic thirst for blood.
I would advise taking a deep breath first. How the f..k will you bring "full might of military" on some group located everywhere? Invade few countries? I sincerely hope that by now people in congress have little bit more of that gray matter. And what exactly does that "no mercy" mean?
So should Russia do the same? After all the US did officially declare a cyberwar against Russia. If this ends up being attributed to Russia they have a very real defence in pointing the finger at the US and saying "You started it!"
If the United States pre-emptively attacks a foreign country with a cyber attack resulting in the loss of human life, then yes, Russia or any state would be justified in retaliating. This is equally true for any such use of any weapon of mass destruction.
This is going to be a controversial suggestion, but I have a feeling that we might already be in an asymmetric world war and our leaders might quietly know it. This year has felt like checkmate.
Then we should not be so meek as to do nothing. During the Cold War, nations did not sit idly by as their adversaries developed nuclear capabilities which, make no mistake about it, targeted civilians and civilian infrastructure. Of course, we developed our own defensive capabilities but then, as now, we faced a type of threat which hugely favored the attacker. So we kept pace with the offensive capabilities of our adversaries. If China or Russia (the states themselves) is identified beyond doubt as the source of this attack, then our policy must be to retaliate in kind.
Mutually assured destruction for the cyber-age.
If it's organized criminal hackers we're dealing with, then we should treat them how we would treat any legitimate terroristic threat. I would want our intelligence agencies to reach out and touch them.
This may not be a popular point of view on Hacker News. I unfortunately cannot fathom an alternative solution.
What about management? What about the sysadmins/developers that left a security hole somewhere? Are they held responsible in some way?
It's unacceptable that this keeps happening. If you own a safe and it gets broken into every week, do you blame the safe cracker or who built the safe?
Do you blame the dev? Do you blame the HR system that hired them? How about the manager that pushed them too much? What about his manager? Is it the VP of IT's fault, even if he didn't know the technical specifics? Nothing is any one person's fault. Blame is a stupid waste of time.
At some point we will sit down and recognize that calling programmers "engineers" was a mistake. True engineers make guarantees within clearly specified limits and take on liability for those guarantees. Modern technology companies claim many things while owning little, if any, responsibility.
For starters, the whole 'NOT FIT FOR ANY PARTICULAR PURPOSE EVEN THOUGH YOU PAY FOR IT TO DO THESE SPECIFIC THINGS' contract thing needs to go die.
WRT engineering- if someone walks into a production cell and a robot swings and hits them in the head, guess who generally gets the blame in an investigation? The group that somehow didn't put safety scanners or a cell wall with door interlocks or didn't use safety-rated equipment.
There's a big difference between "guys, please get out of the way before I make the bot move" and "guys, I can't make the bot move until you're out of the way and the door is closed and latched" and worst-case scenario, that difference can be any number of human lives.
Surely things can improve, but it'll take time, dedication, and sucking it up and rewriting legacy code and probably being slower at pushing features out. (Keep in mind this isn't a universal guidebook- and should mostly be for companies that create software and infrastructure that is or can be life-critical.)
I agree, although I also think civil engineers who miss things (Elliot Lake mall collapse, for example) are mostly just scapegoats and don't deserve to shoulder so much of the blame.
This is what I was thinking with my comment. I don't like the idea of being liable for software I make. I love that the MIT license has a clause saying whatever happens to your computer is not my fault. It's comforting when you're just trying to share something.
But.. there are certain classes of software that I think should be written differently.
I feel like we made a lot of bad decisions. There should be a completely separate stack for hospitals, power plants, etc., including a custom operating system. Why is Windows running on every machine? Isn't this a national security issue at this point?
>"Why is Windows running on every machine? Isn't this a national security issue at this point?"
Because for better or worse people make their choices and who are you to tell them what to run.
Infrastructural software - sure there should be some kind of security certification. this probably will not help much. Switches and routers are not running Windows and are still being attacked and crippled. Or consider the Stuxnet.
Sometimes analogies can be misleading. It's a lot harder to design a secure hospital IT apparatus than a safe. Also, in the event of a safe getting cracked, you'd likely have no recourse against the safe vendor. Safes are designed to present a firewall against tampering, but with sufficient physical access, no safe will stand for long. So your analogy fails two ways: one is that it trivializes the difficulty of the problem you're analogizing, and the other is that even if it were a good analogy, it would cut against your argument.
> It's a lot harder to design a secure hospital IT apparatus than a safe.
Yeah I agree there.
I'm curious what the surface area could look like. What is the minimum a hospital could operate with? How locked down could things be? Anyone in healthcare care to comment?
This is truly appalling per se, even more so during a global pandemic.
If I can be of any help to stop this, disrupt these guys or whatever I'm ready to give a few of my days and nights to it.
Contact email in my about.
I'm a professional developper with a dormant interest in ethical hacking. Been following EH courses, done some CTFs ranging from basic web pen testing to crypto and assembly debugging and been reading/watching keenly everything I saw on cyber-security in the past 5-6 years.
> Public message to ransomware gangs: Stay the f away from medical organizations. If you target hospital computer systems during the pandemic, we will use all of our resources to hunt you down.
I guess it will be another "for decades we didn't care about security because no obvious short term profits, now we will have to pay a great price" moments.
The article you linked is absolutely fascinating. Because network security improvements didn't grant higher ups "bonuses" they didn't make the slightest effort to do what engineered desperately asked.
> The security revamp was green-lit and budgeted. But its success was never made a so-called key performance indicator for Maersk’s most senior IT overseers, so implementing it wouldn’t contribute to their bonuses. They never carried the security makeover forward.
it is definitely not always eol windows, most ransomware I have seen rune on modern os, fully patched with you to date av. it is not hard to creat or distribute or to mutate and keep active. it is not just windows either, I have seen it for osx and ubuntu, even cloud services like office365, Dropbox, etc.
99% of the time the hole in the system is the phishing email that the employee clicks on. you will be amazed how many link clicks, redirects warning messages and notices people will just click through because "hr" needs to verify you payroll information or other nonsense that doesn't even make sense.
That's messed up if true, but why would a ransomware operator target them? I mean like, they don't really target, they just wait for people to install something right?
Why hospitals? They have lots of money (same as any big organization) and a very good reason to pay up. It would be far from the first time a hospital was attacked. It wouldn't even by the first time it directly resulted in a death [0]. Unfortunately ransomware operators aren't very ethical.
Considering the timing it could also be geopolitical unfortunately, people dying from a ransomware attack could substantially raise the general tension level in the US.
Lots of high value malware is actually targeted. Things like running phishing campaigns to try and steal credentials from someone inside the institution.
It's substantially less likely, especially if you don't buy the geopolitics angle, but potentially these criminals even have some unpatched vulnerability in a common deployed piece of software, which would allow them to skip the phishing part entirely.
I'm not experiencing any surprise that the hospitals are attacked, I know that happens, I am experiencing surprise at three government agencies hanging out in a chatroom where hackers are credibly discussing attacking a bunch of hospitals with ransomware.
My understanding is that the ransomware operators just take a look at computers that are infected, and then negotiate based on who they appear to be.
I get the impression you're taking what you know of attacks against consumers, and just assuming that attacks against large organizations work the same way. They (generally) don't.
With a consumer attack it's get execution on a computer, encrypt some files, and ransom them back. This might earn a few hundred dollars per computer, and isn't worth putting a whole lot of effort into any individual.
At a corporate level it's get some level of access, use that access to get control of a whole lot more access - and also to get control of servers that actually matter instead of users workstations that mostly don't. Maybe try and delete the backups, often exfiltrate a bunch of data, then encrypt things. If you exfiltrated the data the ransom potentially includes not just the offer to decrypt things but also a promise not to distribute the exfiltrated data.
This is all reasonably high touch "work". They've got to figure out how to move laterally inside that specific companies network. They've need to figure out what data is actually important (especially if the goal is to sell it). And so on. Unfortunately it appears to pay well enough to justify the effort. Companies are routinely paying millions of dollars in ransom.
I don't have stats to back this up (internal or otherwise), but my impression is that most successful attacks against enterprise targets are phishing attacks targeting employees to steal credentials.
> It would be far from the first time a hospital was attacked. It wouldn't even by the first time it directly resulted in a death [0]
Just pointing out that this is a little misleading. The link you're referencing refers to the first ever reported hospital death related to a hospital's ransomware attack, and this article was from just a month ago (I remember, I read it on Hacker News too). But the juxtaposition of these sentences might suggest that death-by-ransomware-in-hospitals has been a common occurrence for quite some time.
Ransomware shops don't sit passively by, waiting for someone to install a trojan. Some of them are actually outsourcing the actual penetration, according to Krebs:
the only reason that's unlikely is because the effort behind this level of conspiracy is just so unnecessary to having a viable business plan
its like yeaaah maaaybe there is one connected and high tech operation that all the world leaders heard about in their whatsapp groups, but my experience with "people with connections" are that they are so low tech and dumb that its almost impossible for them to get the correct clandestine hacker group in play
While the initial infection of a single workstation is often done by pray-and-spray phishing attacks, the common practice for modern ransomware attacks is that this is followed by a manually controlled attack by skilled teams, spreading throughout the network and servers is not done by an automated virus, it's done by controlled malware; and the encryption is manually triggered when they think that the preparations are complete to do maximum damage, backups have been disabled/corrupted, etc.
So they do target the extortion; already the decision to move on from that initial foothold will be based on the understanding of what institution it is and how much they would be willing to pay. In this case, they have intentionally targeted hospitals.
> Thieves must be heartless to go after such desperate targets.
I mean it's the mafia, same people that traffic women and children, drugs,... profit is the motive, they don't care how. Just because they are now sitting behind a computer doesn't change their nature.
I've been in a hospital recently and they were still running windows XP, my doctor using IE8 (cause activeX on the intranet) and Excel... But hey, they run anti-viruses!... Public institutions absolutely need to get rid of all that ASAP.
Lookup these Internet scammers videos on YouTube. These scammers are heartless. They terrorise old people when they don't comply, claim they are calling the police (on the victim for not paying fake invoices), even playing police siren sounds in the background. If they could scam a hospital they would in a heartbeat.
The smart contract would just wait for payment and the control server would watch for payments. the victim would still have to trust that this process was in place, but for operator can have it completely automated
doesn't actually have to be a smart contract, just any address essentially. but a smart contract could allow for many more features, not sure if you'd really want that here
I'm imagining that "keep this value secret until payment is made" could be handled entirely on the blockchain, so that there is no C&C to shut down. But I'm not actually that familiar with the capabilities and limitations of smart contracts.
ah okay, Secrets (formerly Enigma) is a crypto-payments smart-contracts technology to look into for this. Otherwise you run into the problem of everything being stored onchain and visible or there would always have to be some oracle system that has the secret. I'm not sure if Secrets solves this use case, their main thing is storing secrets in the encrypted-key co-processors client side, but they might have other offerings.
you can write the contract and always automatically get a cut if you get people to use it, no negotiations, no contracts, no incorporation - the overhead costs to making money have never been lower
people are talking themselves out of how to use cryptocurrency and smart contracts, its like something Plato would write
Do all these hospitals have backups that ransomware and automation can not tamper with? Is anti-tampering a requirement in their audits, or just detection? Have any hospitals started implementing secured workstations in kiosk mode? i.e. Windows 10 LTSC with all the hardening options enabled and AD permissions locked down and treating workstations as ephemeral devices.
In that case, my proposal would be that hospital customers should be able to opt into a program that allows them to buy a thumb drive from the hospital that has their records in an encrypted file, with images exported into an open lossless standard such as PNG. What size thumb drive would most patients individual records fit onto?
I registered an account to comment because this made me laugh. One does not simply export images from medical systems. It takes a ton of effort and clicking to get patient images out of most PACS systems IF YOU ARE LUCKY. DICOM images are often high bit-depth JPEG2000 and are hard to get access to because of the way PACS systems and medical devices store data. Screen scraping DICOMs would take ages as each DICOM can have any number of slices. You don't want to lose the original bit-depth either as radiologists use contrast enhancement techniques which don't work with images encoded in 8-bits like screen scrapes. The PACS tech industry is simply painful to deal with.
That sounds challenging to deal with. What you are describing reminds me of proprietary backend banking, military systems and most internet-of-things that have custom firmware. Maybe I was hoping too much for hospitals to have pushed for more compatible standards. Do you have a theory as to why they have not evolved? Lack of vendor competition due to certification costs?
In my experience when I worked for a medical image analysis startup some major vendors such as Philips,
Siemens, and GE are developing analysis tools in house as value adds for their existing customer channels and there is no reason for them to open themselves up to competition by increasing interoperability. Hospitals are happy with waiting for your next startup idea to become a feature in their next MRI purchase from the same vendor they have had a relationship with for years.
One way I can think of to disrupt this process is partnering with a new medical device company which is accelerating sales to hospitals. Last time I had this conversation the promising ones were all Chinese, wanted investment solely for development of algorithms under Chinese jurisdiction as part of terms of investment, and carried all the usual IP theft and legal risks you can imagine. Israel has some med tech startups too but they wanted to source talent from within their country and their due diligence seemed to be more of an intelligence gathering operation.
I moved on to working in finance. I don't know what ended up happening to that startup. I left after the paychecks stopped coming.
The actors responsable are doing an all out attack to maximize profits as US Large corps and military are currently targeting their networks to prevent election tampering. These botnet networks have prooven difficult to disrupt even fort hem. This is a profit maximization effort for them and probably one they'll do right before folding and disappearing as the last time hosptials and police were directly targeted national governments began disappearing the perpitrators.
What'd be heartless is if the malware, such as the ryuk ransomware in December of 2019, had a bug in it that prevented the decryption key from working and all it did was garble and trash data.
Be forwarned, a few groups deploying ransomware are on sanctions lists which carries direct liability if you pay them. If you're the IT staff, make the CFO\CEO pay them and wash your hands of it.
InsurTechnix's founders experienced the effects of cyber attacks on multiple hospitals at our previous start up. That's one of the reasons we founded InsurTechnix.
US hospitals are ripe to attack. They make huge profits and use extremely outdated tech or use new (untested) software.
I take this opportunity to complain about regulatory capture and the medical cartels. Their constant irresponsibility (opioid epidemic, coronavirus response) affects everyone. Yet they still are paid more than any other industry.
Could this be related to repealing ACA in some way? Would information stolen help one side or the other? Or is there no connection? & How would one know anyway?
Non-American (but not ignorant of USA) wondering why this is happening now.
It's interesting that this topic was much talked about when I was working with hospitals 3-5 years ago. They've seen it coming, but have largely squandered the opportunity.
Most hospitals store their data and run systems on-prem and are hyper-allergic to anything cloud based. They often have sloppy if extant back-up policies, and I've never heard of a hospital practicing a restore from backups. They also all seem to have terrible policies around passwords that cause most of their staff to iterate passwords every few months by simply incrementing a number at the end. You're also quite likely to find passwords on post it notes under half the keyboards in a given facility.
Security certifications are kind of a joke and mostly conducted by lawyers and compliance officers who have no technical background, let-alone info sec training.
TL;DR this has been a ticking time bomb for a decade and everyone involved knew it.
Why are hospital systems connected to the public internet, anyway? Wouldn't it make more sense to have all of the life-or-death stuff on its own secure network?
There is still an opportunity from the lessons learned. You can regulate your hospital systems as you regulate financial institutions and certificate them. I was also thinking a network setup on a sub-pub system separating trusted and untrusted networks using computer vision via optical sensors or camera&monitor in an old fashion using ocr,classification or even barkod /optimized qr code that client picks task id and id from queue and shows on a device and server reads via sensor or camera. Maybe problem is not the we are lack of solution but the systems just old.
Several years ago the Obama admin took down the entire financial and banking sector of Russia after the iirc early signs of election tampering were shown in 2016
That's got a list of some info, my understanding is that you can take information like that and look at other attack to start to see if there are elements in common to give you more overall information about the group possibly responsible, and how to detect the group again more quickly next time, to possibly jump in and deal with the problem before it leads to exfiltration or destruction or whatever bad thing you're trying to avoid. https://www.youtube.com/watch?v=BhjQ6zsCVSc talks a bit about how to detect UNC1878.
It sounds, specifically, like Hold Security is monitoring criminal communication and picked up a reference to this campaign ahead of the execution. Combined with the subsequent follow-through, it would be pretty straightforward to attribute the folks who said, "We're going to do this thing soon" as the folks who then ended up doing exactly that thing.
For what it's worth, I know nothing more about this than what was presented in the article.
Maybe hospitals should escrow their data with NSA.
Append only backups. Get ransomware, restore from NSA backup. Make all that storage capacity useful.
If you run your infrastructure on a “computer” directly connected to the Internet such that it puts hospitals and power grids in danger, then maybe you're in the wrong profession.
@coldpie: ‘If you're putting the words "secure" and "computer" in the same sentence, you've already lost. There is no such thing as computer security.’
We should borrow an idea from nature and not create a monoculture. That way when a ‘computer virus’ comes along, it won't run rampant through the ecosystem.
> Charles Carmakal, senior vice president for Mandiant, told Reuters that UNC1878 is one of most brazen, heartless, and disruptive threat actors he’s observed over the course of his career.
This is what terrorism looks like in 2020. Horrifying, terrifying, disgusting.