BreachExchange mailing list archives
Computer systems at UK and UK HealthCare hobbled by massive, month-long cyber attack
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 10 Mar 2020 09:07:45 -0500
https://www.kentucky.com/news/local/education/article240970221.html The University of Kentucky and UK HealthCare conducted a major reboot of their computer systems early Sunday morning in an effort to end a month-long cyber attack that university officials say is the most substantial cyber intrusion in university history. The unidentified “threat actors” infiltrated Kentucky’s largest university system in early February from somewhere outside the United States and installed malware that utilized UK’s vast processing capabilities to mine cryptocurrency, such as Bitcoin, said Eric Monday, UK’s executive vice president for finance and administration. The protracted intrusion, which the university believes it resolved early Sunday morning during a campus-wide network outage, has repeatedly caused a slowing or temporary failure of computer systems used by students and employees, an effect that was likely “most acute” on the health care side, said university spokesman Jay Blanton. Blanton insisted that “patient safety [and] access to care was never compromised,” but day-to-day functions were likely interrupted, even repeatedly. There is “no evidence” that “any personal health information or any other sensitive data was downloaded or accessed,” Monday said, meaning there’s no need to offer credit monitoring or other protections to faculty, staff, students or patients, he said. UK HealthCare, which includes UK Chandler Hospital and Good Samaritan Hospital in Lexington, has close to 2 million registered patients. When asked whether any private information of the university’s students, faculty and patients was vulnerable at any point, Monday said it was “hard to determine,” but that the “risk to people’s information is much lower today than it was a month ago.” UK Chandler Hospital is housing in isolation Kentucky’s first confirmed patient with novel coronavirus, or COVID-19, but Blanton said officials “don’t anticipate” the cyber attack will have any impact on that patient’s care. The attack did not escalate to include the installation of ransomware — where attackers essentially lock a system’s information until a ransom is paid to the hacker — but costs to harden network security and eject the hacker are already upwards of $1.5 million, Blanton said. Included in that cost is the internal investigation UK launched with the help of an outside forensic firm, consultations with cybersecurity experts, and the installation of CrowdStrike security software to protect against future attacks. These types of costly attacks, which often target private and public entities, including cities, schools, and hospitals, have become more common in recent years. In 2019, more than 205,000 organizations admitted their files had been hacked with ransomware, according to The New York Times. Park DuValle Community Health Center in Louisville paid cyberattackers $70,000 last year to unlock patient medical records. Monday said UK’s system is pinged daily, sometimes every few minutes, by attackers trying to penetrate the system, and most fail. The set of sophisticated hackers who have been in UK’s system since early February entered through a university server outside UKHealthCare, he said. UK and other large organizations with vast computer systems are particularly appealing venues for hackers intent on mining large volumes of cryptocurrency because of their system’s powerful processing capabilities, said University of Louisville Associate Professor of Computer Science and Engineering Dr. Adrian Lauf. Mining cryptocurrency is an extraordinarily complicated process that involves validating other people’s transactions with sophisticated computing power and then adding them to the blockchain — the long, public list of all transactions. In exchange, people are paid with cryptocurrency. The value of cryptoassets are “not all that high,” unless, for example, a hacker can infiltrate a large processing system to mine cryptocurrency, in which case it increases one’s “prospects of getting a return on your investment,” Lauf said. But even at that scale, the return for mining cryptocurrency is nowhere near the value of patient health information, which is why Lauf said he was “surprised that, given the value of [public health information], it was not taken.” “It’s like breaking into a bank to go steal something from the vending machine,” he said. Mining at that scale takes up tremendous amounts of network bandwidth, clogging normal network functions and slowing down the overall functionality of the processing system. The university’s remediation efforts culminated early Sunday morning, when UK information technology services powered down the entire system and severed Internet access in order to kick the attackers out and further harden the system against anyone who tries to reenter. Blanton said in a statement that the process, which took about three hours, was successful in “mitigating the existing cyber threat,” and that the university “will continue to power on systems and monitor them throughout the morning.” University officials described the system darkening as “widespread technical maintenance” in an internal email sent to students, faculty and staff Saturday night. UK President Eli Capilouto, in a Sunday morning email to students, faculty and staff, said “it was necessary to limit the information provided” about the network outage overnight until it was clear the system reboot was complete. The university and its cybersecurity partners are “confident in our response,” Capilouto said, adding, “as always, the security of our community will remain our top priority.” _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Computer systems at UK and UK HealthCare hobbled by massive, month-long cyber attack Destry Winant (Mar 13)