Last October, the information technology (IT) department at the University of Vermont Medical Center (UVM) began receiving reports of malfunctioning computer systems across its network. Employees reported they were having trouble logging into business and clinical applications. Some reported the systems were not working at all. Within a few hours, the IT department began to suspect the hospital was experiencing a cyberattack. At that time, the possibility was very much a reality to the IT team, as several other major US hospital networks and even international hospital, fell victim to cyberattacks earlier last fall.
Immediately, UVM cut all Internet connection to the network to protect what data it could. Soon after, the department discovered a text file on a network computer, apparently left by the hackers. “It basically said, ‘We encrypted your data, if you wanna get the key to un-encrypt it, contact us,’” explained the senior VP of network information technology at the medical center. “There was no specific ransom note, no specific dollar amount or anything like that, it was just, ‘here’s how you contact us.’ ”
The department immediately contacted the FBI and opted not to reach out to the attackers. “Even if you contact them, even if you pay them, you have no guarantee they’re gonna deliver anything,” UVM IT said. Over the ensuing weeks, UVM Medical Center worked closely with the FBI to investigate the source of the attack while the hospital operated without access to most of its data for several weeks. “Of course, we have standard procedures for if systems go down, but being down for two to three weeks is beyond what we ever expect. It was stressful for people.” The attack cost the hospital between $40 million and $50 million, mostly in lost revenue.[1]
Yet many theorize, it could have been worse. “While it was a significant inconvenience and a big financial hit, the fact that no data was breached was huge.” When the cyberattack was discovered, hospital officials feared patient data could have been stolen. Things like Social Security numbers, insurance information, and medical records were all on the line. This very valuable data for a cyber-criminal. Often, in cases like this, cybercriminals steal data and sell it on the dark web forums to make a profit, or hold it for ransom and then demanding large sums of money in exchange for encrypted data.
This past week, the hospital (which is a teaching hospital) revealed for the first time how the attack was carried out. UVM IT explained that an employee took a corporate laptop on vacation last fall and opened a personal email from their local homeowners association. “It was a legitimate email from a legitimate company. Unfortunately, that company had been hacked.”
When the email was opened, cybercriminals deposited malware onto the laptop. A few days later, when the employee returned to work and connected to the UVM Medical Center network, attackers were able to use that malware to launch the network-wide attack. An innocent mistake that caused huge ramifications.
The IT team characterized it as a “phishing attempt,” saying attackers were likely going after whoever they could. “It certainly didn’t seem like they were specifically targeting us; we just got caught up in a broader attack,” they explained. The employee faced no disciplinary action as it was clearly a mistake. It was clearly an accident that the malware made its way onto the computer. “It could have happened to anyone.” Or should it? Training, training, training – is so important.
Since the attack, UVM Medical Center has taken steps to combat future similar attacks. The IT department now sends out regular simulated phishing emails to employees in order to heighten awareness around the risk of phishing. If an employee clicks on it, the department provides immediate feedback to help them identify real phishing emails in the future.
The department has also blocked access to personal email on all work computers, installed anti-virus response software and advanced firewall protection, and restricted access to the corporate network. The FBI told medical center officials the attack was likely carried out by a cyber-criminal gang that it had been aware of for some time. “The motive here was clearly money [and] nothing else.”
A quick check of our dark web collection for the UVM domain through our CTAC tool, indicated 9 compromised emails and passwords seen prior to the UVM hack in last October 2020. An attacker can use any one of these accounts to gain employee-level access to the network giving them the ability to download and spread malware. A proactive approach to cybersecurity is the key to preventing cyber attacks and significantly limiting any loss that may occur if an attack does take place. There is additional threat data in RedXray, between April-May 2021, indicating a spike in malicious activity associated with the organization around that time frame.
At Red Sky Alliance, we can help cyber threat teams with services beginning with cyber threat notification services, and analysis. And we are always available to help and support your needs.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] https://vtdigger.org/2021/07/21/malware-on-employees-company-computer-led-to-cyber-attack-on-uvm-medical-center/
Comments