State-sponsored North Korean hackers have been targeting healthcare providers since at least May 2021, according to the US government. The FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury have issued a joint advisory warning healthcare organizations about the attackers' MO. Apparently, they've been using a ransomware called Maui to encrypt healthcare organizations' computers and then demanding payment from the victims to get their networks unlocked. The agencies' warning contains information about Maui, including its indicators of compromise and the techniques the bad actors use, which they got from a sample obtained by the FBI.
The agencies said the attackers locked up healthcare providers' electronic health records services, diagnostics services, imaging services and intranet services, among others. In some cases, the attacks kept the providers out of their systems and disrupted the services they provide for prolonged periods.
According to the agencies' advisory, the malware is manually executed by a remote actor once it's in the victim's network. They "highly discourage" paying ransom, since that doesn't ensure that the bad actors will give victims the keys to unlock their files. However, the agencies admit that the attackers will most likely continue targeting organizations in the healthcare sector. "The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health," they said.
The agencies are now urging healthcare providers to employ mitigation techniques and to prepare for possible ransomware attacks by installing software updates, maintaining offline backups of data and concocting a basic cyber incident response plan. For those wondering what happens to the funds North Korea gets from operations like this: Earlier this year, a United Nations report revealed that the country has been using cryptocurrency stolen by state-sponsored hackers to fund its nuclear and ballistic missile programs.
Healthcare providers have been a prime target for ransomware-using bad actors for quite a while now, especially since the pandemic started. In 2020, FBI and CISA issued a joint advisory warning hospitals and healthcare providers that they're in danger of being targeted by a ransomware attack. Russian-speaking criminal gang UNC1878 and other attackers targeted healthcare organizations in the height of the pandemic, giving some victims no choice but to comply with their demands as they struggled to save people's lives.