As if a global pandemic, international lockdowns, an increasing number of infected and affected people and the sadness and grief of people losing loved ones isn’t bad enough, cybercriminals are also out in force.
Foreign cybercriminals are attacking Australian aged and health care providers, with ransomware a common tool of choice.
Last week, the ACSC announced;
“The Australian Cyber Security Centre (ACSC) is aware of recent ransomware campaigns targeting the aged care and healthcare sectors. Cybercriminals view the aged care and healthcare sectors as lucrative targets for ransomware attacks. This is because of the sensitive personal and medical information they hold, and how critical this information is to maintaining operations and patient care. A significant ransomware attack against a hospital or aged care facility would have a major impact.”
Regis Healthcare had just been attacked with a ransomware infection known as ‘Maze’. Ransomware typically steals data from the target, encrypts that data inside the targets own systems, rendering it unusable, and the victim unable to stay in operation, then demands a ransom to unlock the stolen data. Good backups can save the victim, restoring business as usual and avoiding paying the ransom. So, the criminals have added another string to their bow, publishing the stolen data, in part, to encourage the ransom payment.
In this case, Regis Healthcare stated it had been targeted in a cyberattack by a foreign third party, who then demanded a ransom and subsequently released stolen data on the internet. Data which may include residential care and accommodation agreements of one of its 50 aged care facilities.
Sadly, this might have all been prevented. The ability to know about these threats and protect yourself from them is challenging for large and well-funded organisations, next to impossible for the SMEs. It is a core competency of Red Piranha, who has designed from the ground up, a system to protect its customers of all sizes through its MSP partner network. Regis Healthcare, alone, could not reasonably be expected to have the defences you might perhaps expect from a large corporation, any more than Red Piranha could be expected to provide aged care services. Together, though, these attackers would have been just one more fly on the windscreen.
In the case, Red Piranha became aware of the Maze threat back in May through its international threat sharing system with globally trusted partners. Red Piranhas security appliances were updated with the defences, and in May, its customers were protected. The attack on Regis Healthcare occurred in July.
Red Piranha’s systems extend this protection to its customers largely through its range of security appliances known as Crystal Eye. It acts as the focal point for the multitude of threat intelligence information, analysis of customer network traffic, scanning of servers, the origin of potential attackers and awareness of the latest more human-based attacks, such as phishing. Understanding where attacks originate and where customer’s information goes is essential in a world where it is “in the cloud”. But where, exactly is the cloud?
In the backdrop of heightened international tensions, customers are asking, where is my information residing and who has access? This has led to the data sovereignty debate.
Australian based and owned Red Piranha makes its own security appliances, runs its own operating system, and has its Security Operations Centre based in Australia. The range of Crystal Eye appliances scale to the increasing magnitude of threats and the increasing bandwidth and speed of networks, by using state of the art processing power, typically three or four generations ahead of its competitors.
What often happens in a situation such as Regis Healthcare, is the security appliances simply don’t “know” enough to provide protection, or are underpowered for processing the situation in real-time, including informing the AI engines capable of not just detecting but blocking the attack. Perhaps there was not a robust automated system in place to respond, both automated and human. Regis Healthcare has not said what led to this calamity, but they are not by any means, the first to face this. Or the last.
What questions should a Regis Healthcare, or any other organisation for that matter, ask, before choosing a security partner, whether that be an MSP, a vendor, or a cloud service provider, before entrusting their business to them?
- Do you have continuous access to globally obtained threat information as part of a trusted international consortium?
- Do your systems automatically update based on this international initiative? Currently, around 25 million updates per day.
- Do you have a local Australian based team of experts who rapidly respond when inevitably a breach occurs, from a foreign actor or an insider?
- Are your appliances using processing platforms that are no more than one or two generations old? In the Intel world, Generation 9 and 10 are current.
- Can you tell me where all of my data that you can access, is stored and who has access?
- Are you ISO 27001 or IRAP (Australian Dept of Defence) certified? This is a minimum requirement to assure me that your people, processes, and policies are secure.
- When did you first become aware of Maze?
If Regis Healthcare had asked those questions and received satisfactory answers, then they should be now be asking how this attack was permitted to succeed. They, no doubt, are. Something doesn’t smell right in the kitchen.
This is bigger than Regis Healthcare. Maze is simply a tool, and in the cyber world, an old one at that. Tomorrow, we will wake up to a dozen new scenarios.
The pandemic is horrible and painful and destroying people’s lives. It is hard not to draw the parallels. Both evolve. Defence is always playing catch up. Indeed, cyber attackers are leveraging on the pandemic, using people’s fear, targeting health care, government, and infrastructure. It is a war, be prepared and be well defended.
As the old wisdom says, trust, yet verify.