Cyber threats in Australian healthcare sector face increase in complexity and volume, following global patterns

The Australian healthcare sector experienced an 84 percent increase in reported cyber incidents between 2019 and 2020, with 85 data breaches recorded in the first half of 2021 alone. While financial loss, operational impact, and reputational damage are all costs of cybersecurity failures for any company, a cyber-attack in healthcare carries an additional danger of patient harm. 

The country’s CI-ISAC cybersecurity not-for-profit organization wrote in a Tuesday LinkedIn post that “cyber threats to the Australian healthcare and medical sector are increasing in complexity and volume. Threats to this sector are not unique to Australia alone, with Australian healthcare experiencing similar threat trends to those observed globally.”

CI-ISAC reported that there were 137 ransomware incidents in healthcare globally in 2021, with Australia being the victim of five of these attacks. “In Victoria, in 2019, a ransomware attack reduced the services available at seven regional health service providers and led to patients being transferred to other facilities. Cybercriminals are progressively focusing their attacks on the healthcare industry while expanding their operations and raising the sophistication of their tactics, techniques, and procedures (TTPs), allowing them to launch more effective attacks,” the post added.

One example is when ransomware was spread throughout U.S. hospitals by exploiting outdated JBoss server software, the organization said. “Instead of infecting the hospitals through routinely used staff workstations, the attacker uploaded malware on the outdated server without the victim’s knowledge. One of the hospitals impacted was Hollywood Presbyterian Facility in California. The incident caused a delay in patient treatment and ultimately required the hospital to pay $17,000 to regain access to its network and files.”

Another example is the ransomware assault at UnitingCare Queensland on April 25, 2021, one of many cyber breaches in the Australian healthcare industry. The internal IT system of the hospital group was impacted, requiring them to switch to paper-based processes. The attack was attributed to the REvil/Sodinokibi ransomware group.

CI-ISAC said that using legitimate tools like VLC Media Player, recent Gootkit malware loader attacks have targeted the Australian healthcare industry. For initial access, Gootkit, or Gootloader, uses search engine optimization (SEO) poisoning techniques (spamdexing). “It usually operates by compromising and abusing legitimate infrastructure and then seeding the compromised sites with popular terms. Similar to other malware of its kind, Gootkit is capable of keylogging, adversary-in-the-browser (AitB) assaults, data theft from the browser, screenshotting, and other malicious actions,” the post disclosed. 

The CI-ISAC identified that Russian state-sponsored cyber-espionage organizations have traditionally targeted those organizations that are directly related to Russian geopolitical and economic goals. The pharmaceutical and healthcare sectors, however, became more significant in the COVID-19 pandemic with increased threats from Russian advanced persistent threat (APT) groups.

For Russia, APT28 and APT29 targeted overseas clinical researchers and pharmaceutical businesses in an effort to obtain COVID-19 intellectual property.

APT28 aka, Fancy Bear, Group 74, PawnStorm, Sednit, Snakemackerel, Sofacy, STRONTIUM, TG-4127, Tsar Team, and Iron Twilight are other aliases for APT28. Healthcare, aerospace, defense, energy, government, military, and the media are among the targeted sectors. Password spraying and brute force attacks to compromise credentials and obtain initial access are commonly employed by APT28 in attacks.

APT29 aka Cozy Bear, The Dukes, YTTRIUM, and Iron Hemlock are other aliases for APT29. Healthcare, pharmaceuticals, academics, energy, finance, government, media, and technology are among the targeted sectors. Incidents tied to the group include attacks on COVID-19 vaccine developers in 2020 and at least one U.S. hospital. The group was also behind the SolarWinds attack in 2020.

In the healthcare industry, breaches are frequently reported. These can be brought on by various circumstances, such as malware that steals login credentials, an insider mistakenly or purposefully disclosing patient information, or misplaced laptops or other gadgets, the CI-ISAC identified. “On the black market, Personal Health Information (PHI) is more valuable than credit card information or standard Personally Identifiable Information (PII).” 

The post pointed out that cybercriminals have a greater motivation to target medical databases as a result. “PHI can sell for up to $363, whereas credit card information and other PII are only worth $1 to $2 on the black market. PHI is valuable because criminals may use it to lure victims into falling for fraud and extortion that exploits their medical issues. Additionally, it can fabricate insurance claims, enabling the purchase and selling of medical supplies,” it added.

“In an alleged coordinated cyber-attack from Russia, nearly 10 million Australians had their private health information stolen, with private medical records revealing treatments for alcoholism, drug addictions, and pregnancy terminations posted online,” the CI-ISAC wrote. “The largest private health insurance provider in Australia, Medibank, had its databases breached by a Russian ransomware group, which stole customer information from the business’ computer systems over a period of weeks. Sensitive data was made available on the dark web by hackers after Medibank declined to pay the ransom.”

Most healthcare sector entities won’t be able to share ‘machine to machine’ intelligence, so an industry partner is needed as the enabler/facilitator for cyber threat intelligence (CTI) and collective defense using other means. By taking on the role of the trusted advisor/facilitator for the intelligence exchange, an industry organization would ensure the overall quality of information flowing through its systems and out to the critical infrastructure members.

Last week, the Australian Cyber and Infrastructure Security Centre (CISC) released a risk assessment advisory for critical infrastructure focused on the healthcare and medical sector. The document includes risk in the critical infrastructure context, the ability to determine the criticality of assets, interdependencies (upstream and downstream), understanding threats and hazards for risk, risk controls and mitigations, and offers a risk assessment methodology.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.