Skip Navigation

Critical Infrastructure News

Ransomware Forces Indiana Doctors to Use Pen and Paper

An Indiana healthcare organization (HCO) has the dubious honor of becoming the first in 2018 to be forced offline by ransomware.

Hancock Health suffered the attack at around 9.30 pm last Thursday, local time, the HCO revealed in a statement yesterday.

The amount of Bitcoin demanded and the type of ransomware used are at present unknown. However, local reports at the time claimed that the entire network was affected – including 20 physician offices, wellness centers, hospitals and other facilities – forcing doctors, nurses and admin staff back to using pen and paper.

The HCO appears to have recovered remarkably quickly from the incident, presumably restoring from back-ups.

Its statement continued:

“Through the effective teamwork of the Hancock technology team, an expert technology consulting group, and our clinical team, Hancock was able to recover the use of its computers, and at this time, there is no evidence that any patient information was adversely affected. Hancock is continuing to work with national law enforcement to learn more about the incident. We plan to provide additional information to our community regarding this act soon.”

HCOs are thought to be particularly vulnerable to ransomware, given their large number of diverse endpoints and users, sometimes poor levels of cybersecurity, and the criticality of IT systems. 

Senate

Cybersecurity firm: US Senate in Russian hackers’ crosshairs

The same Russian government-aligned hackers who penetrated the Democratic Party have spent the past few months laying the groundwork for an espionage campaign against the U.S. Senate, a cybersecurity firm said Friday.

The revelation suggests the group often nicknamed Fancy Bear, whose hacking campaign scrambled the 2016 U.S. electoral contest, is still busy trying to gather the emails of America’s political elite.

“They’re still very active — in making preparations at least — to influence public opinion again,” said Feike Hacquebord, a security researcher at Trend Micro Inc., which published the report . “They are looking for information they might leak later.”

The Senate Sergeant at Arms office, which is responsible for the upper house’s security, declined to comment.

Hacquebord said he based his report on the discovery of a clutch of suspicious-looking websites dressed up to look like the U.S. Senate’s internal email system. He then cross-referenced digital fingerprints associated with those sites to ones used almost exclusively by Fancy Bear, which his Tokyo-based firm dubs “Pawn Storm.”

Trend Micro previously drew international attention when it used an identical technique to uncover a set of decoy websites apparently set up to harvest emails from the French presidential candidate Emmanuel Macron’s campaign in April 2017. The sites’ discovery was followed two months later by a still-unexplained publication of private emails from several Macron staffers in the final days of the race.

Hacquebord said the rogue Senate sites — which were set up in June and September of 2017 — matched their French counterparts.

“That is exactly the way they attacked the Macron campaign in France,” he said.

Attribution is extremely tricky in the world of cybersecurity, where hackers routinely use misdirection and red herrings to fool their adversaries. But Tend Micro, which has followed Fancy Bear for years, said there could be no doubt.

“We are 100 percent sure that it can attributed to the Pawn Storm group,” said Rik Ferguson, one of the Hacquebord’s colleagues.

Ohio man indicted for using 'Fruitfly' malware to spy on Americans

WASHINGTON (Reuters) - An Ohio man was charged in a 16-count indictment on Wednesday for allegedly using malware known as “Fruitfly” to surreptitiously record people by secretly taking over their computer cameras and microphones, the U.S. Justice Department said.

The indictment said that from 2003 through early 2017, Phillip Durachinsky, 28, collected data from thousands of computers belonging to individuals, companies, schools, a police department and the U.S. Department of Energy.

He collected a wide variety of information from computers, including bank records, photographs, peoples’ Internet searches and keystrokes and potentially embarrassing communications.

The malware was also designed to detect whether computer users typed words associated with pornography, allowing Durachinsky to watch and listen to them without their knowledge, the indictment said.

NSA Contractor Pleads Guilty in Embarrassing Leak Case

A former contractor for the US National Security Agency's elite hacking group has agreed to plead guilty to removing classified documents in a case that highlighted a series of disastrous leaks of top-secret NSA materials. 

Harold Martin, who reportedly worked for an NSA unit focused on hacking into target computer systems around the world, will plead guilty to one of 20 counts against him with the aim of concluding a 15-month-old case couched in deep secrecy, according to court documents filed late Wednesday. 

The indictment filed on February 8, 2017 accused Martin of hoarding an estimated 50 terabytes of NSA data and documents in his home and car over a 20-year period. The material reportedly included sensitive digital tools for hacking foreign governments' computers. 

His arrest in late 2016 followed the NSA's discovery that a batch of its hacking tools had fallen into the hands of a still-mysterious group called the Shadow Brokers, which offered them for sale online and also released some for free.

At least publicly, Martin has not been accused of responsibility for any NSA leaks.

In December, Nghia Hoang Pho, 67, a 10-year veteran of the NSA's Tailored Access Operations hacking unit, was charged with and agreed to plead guilty to one count of removing and retaining top-secret documents from the agency.

Vietnam-born Pho also had taken home highly classified NSA materials and programs.

According to The New York Times, apparent Russian hackers broke into his personal computer to steal the files, accessing them via Pho's use of Kaspersky software.

But that case also has not been linked to the Shadow Brokers theft.

Those leaks, and others from the Central Intelligence Agency, have hobbled the US spy agencies' abilities to hack into the computer systems of foreign governments and other espionage targets, according to intelligence experts.

Martin will officially submit his plea on January 22, according to court filings. He faces up to 10 years in jail and a maximum fine of $250,000.

Sentencing won't take place until the 19 other charges are resolved -- an indication that the government, while entertaining his single-count plea, is not completely satisfied that Martin's actions were harmless.

E_email

Securing government email is a critical step for U.S. cybersecurity

The Department of Homeland Security issued a binding operational directive (BOD 18-01) in October, requiring all federal agencies to implement several key measures to increase the security of their email and their websites.

The website security requirements help the government catch up to what most commercial websites are already doing: Use HTTPS. If you’ve seen the little “lock” icon in the corner of your browser, that means the website you’re visiting is using HTTPS — it lets you know that you’ve got a secure connection. Soon, most government websites will offer that security, just as most commercial websites do today.

The email part of the DHS directive catapults the U.S. government into a leadership position. It requires agencies to implement email authentication, through a set of standards (especially Domain-based Message Authentication, Reporting and Conformance, or DMARC) that help email servers and email clients verify the authenticity of emails they receive. It also requires agencies to use STARTTLS with their mail servers, which is essentially HTTPS for email communications.

Leadership from the government

Authentication through DMARC is the more significant component of these two email requirements, and if the U.S. government implements it in 2018, it will put it well ahead of most businesses, who have not yet started to realize the benefits of authenticated email. 

Email authentication means that whenever you receive an email, you can trust that it really does comes from the organization whose domain name appears in the From field. Think of it as a certified, validated return address.

Unfortunately, most emails today are not subject to authentication -- and hackers know it. Emails with fake “from” addresses, also called email impersonation attacks or phishing attacks, are by far biggest vectors hackers use to initiate cyberattacks.

It’s as simple as putting “USCIS.gov” in the From: line of an email message, and Joe Cyberpunk can make it look like his email is an urgent message from the U.S. Customs & Immigration Service.

You might think few people would fall for such a scam, but they do -- all the time. Studies have shown that 56 percent of people click on links in email messages from unknown senders, even after they’ve been taught about the risks. And these are stats for unknown senders, not senders posing as a known government agency, such as the IRS — which phishers frequently impersonate.