Evil Corp should be considered a ‘significant threat’ to health sector based on several factors, HC3 discloses

The U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) released a threat profile on Evil Corp that the cybercriminal group should be considered a significant threat to the nation’s health sector based on several factors. The cybercriminal gang is also known as UNC2165, GOLD DRAKE, and Indrik Spider, which has also been identified as a Russian cybercriminal syndicate operating since 2009. 

“Ransomware is one of their primary modus operandis as they have developed and maintained many strains. Many ransomware operators have found the health sector to be an enticing target as, due to the nature of their operations, they are likely to pay some form of ransom to restore operations,” the HC3 said in its brief on Monday. “Healthcare organizations are particularly susceptible to data theft as personal health information (PHI) is often sold on the dark web to those looking to leverage it for fraudulent purposes.” 

There is speculation that Evil Corp is a front organization for Russian intelligence. Still, it should be noted that they have stolen large sums of money from their victims over their history of operations, the brief said. “They are known to cooperate with Russian intelligence agencies, including but not necessarily limited to the FSB. While this doesn’t make them unique, the extent to which their activities are driven by both personal greed and a state political agenda gives them one of the widest array of potential motivations of all the major cyber threat actors in the world,” it added.

Evil Corp is a cybercriminal gang that has been ‘exceptionally aggressive and capable in their more than decade of global hacking operations.’ It is also known for its development and operation of Dridex (related to Cridex and Bugat), a multi-functional malware variant capable of impacting the confidentiality and availability of protected data and systems directly related to business operations, including banking and healthcare information. 

The Department of Homeland Security (DHS) called Dridex ‘one of the most prevalent financial Trojans.’ They are also known for developing and operating Zeus and several of its major variants, as well as several prevalent ransomware variants, such as Doppelpaymer, Hades, Phoenixlocker, and Wastedlocker. 

Evil Corp is primarily a financially motivated cybercriminal group, which often manifests itself in the form of digital extortion, such as ransomware attacks and cyberattacks that facilitate sensitive information theft – financial or otherwise – which can then be sold on the dark web for a profit. The U.S. government indicted the Evil Corp gang members and has an active bounty offered for information on their leadership. However, Evil Corp has been observed modifying its activities to circumvent U.S. federal government actions to stop them. 

The HC3 said that foreign governments often find it more cost-effective to steal research and intellectual property via data exfiltration cyberattacks rather than invest time and money into conducting research themselves. “This includes intellectual property related to the health sector. It is entirely plausible that Evil Corp could be tasked with acquiring intellectual property from the U.S. health sector using such means at the behest of the Russian government,” it added. 

“However, where Evil Corp distinguishes themselves from many other threat actors is how they blur the proverbial lines between cybercriminals and state-sponsored activities,” the HC3 said in its brief. They are known to cooperate with Russian intelligence agencies, including but not necessarily limited to the FSB. While this doesn’t make them unique, the extent to which their activities are driven by both personal greed and a state political agenda gives them one of the widest array of potential motivations of all the major cyber threat actors in the world,” it added. 

The HC3 said that Evil Corp group had operated many prominent malware and ransomware variants over their history, and as such, the list of tactics, techniques and procedures (TTPs) they leverage is wide. The hacker group has various technical capabilities at their disposal due to both their in-house capabilities and their relationships with other cybercriminal groups. They often leverage the very common tactic of phishing, using legitimate security tools and living-off-the-land techniques. 

Evil Corp has also been known to use other commodity malware variants, apart from other publicly-available tools, in their attacks, including Cobalt Strike, Covenant, Donut, Koadic, Mimikatz, and Powershell Empire.

“Evil Corp has strong and enduring relationships with many of the most capable and notorious cybercriminal gangs around the world. These malware and ransomware operators include Doppel Spider, Wizard Spider, Mummy Spider – all suspected to have members primarily in Russia but also the Commonwealth of Independent States,” the HC3 said. “In addition to Evil Corp’s in-house cyber weapon arsenal, they also by virtue of these relationships have access to prolific malware variants such as Trickbot and Emotet, as well as major ransomware operations such as Ryuk. These relationships, along with Evil Corp’s in-house capabilities make them one of the world’s most powerful criminal gangs.” 

It added that many of these groups and malware variants have all been known to target the U.S. health sector aggressively. 

The HC3 threat profile brief said that Evil Corp does not appear to have any geographic limitations on its targeting. Like many financially-motivated cybercriminals, they are ostensibly motivated to attack targets of opportunity. They have been known to target larger organizations with deeper pockets in big game hunting. However, geographically, they tend to attack targets in the U.S. and Europe. They target finance, government, healthcare, media, transportation, manufacturing, non-profits, technology, and education in terms of sectors. 

“One of their more well-known attacks against the health sector was the compromise of several Scottish hospitals that are a part of the NHS Lanarkshire board in 2017 with the use of BitPaymer ransomware,” the HC3 said. It added that the United Kingdom’s National Crime Agency (NCA) Metropolitan Police Service arrested multiple individuals who contributed to Evil Corp’s activities.

The threat profile comes close to an analyst note released last week by the HC3 on at least four attacks by the Karakurt ransomware group affecting the nation’s healthcare and public health sector since June. The observed attacks have affected an assisted living facility, a dental firm, a healthcare provider, and a hospital, with the hacker group gaining access to files containing patient names, addresses, social security numbers, dates of birth, medical history information, medical diagnosis information, treatment information, medical record numbers, and health insurance information.

There have been numerous ransomware attacks targeting the critical infrastructure sector. Earlier this month, the Russian-based Cl0p ransomware hacker group breached water systems at the U.K. water supply company South Staffordshire.

Following that, there were reports of Greek natural gas operator DESFA saying that it suffered a ‘limited scope data breach and IT system outage following a cyberattack.’ In a public statement shared with local news outlets about a week back, DESFA explained that hackers attempted to infiltrate its network but were thwarted by the quick response of its IT team. 

The HC3 brief said it is not practical to lay out a comprehensive list of defense and mitigation recommendations and data for a group such as Evil Corp, which continually develops a wide array of custom capabilities. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.