Coronavirus-linked hacks likely as Czech hospital comes under attack

As countries around Europe enact drastic measures to try to contain the spread of the Covid-19 coronavirus, a hospital in Brno, Czechia, has been forced to cancel all planned operations and farm out acute patients to other hospitals after falling victim to a major cyber attack.

At the time of writing, according to local media reporting, the exact nature of the attack on University Hospital Brno was unknown, but it is understood that hospital staff have had to turn off IT systems, suggesting that its infrastructure may have been encrypted by ransomware.

The incident was confirmed by the Czech National Office for Cyber and Information Security (NÚKIB). In a statement on its website, a spokesperson said NÚKIB was notified about the incident on the morning of 13 March.

At present, the spokesperson said, NÚKIB cyber security specialists are working alongside police and hospital management to resolve the incident.

Hospital director Jaroslav Štěrba told Czech media that some key clinical systems were working, but the hospital had lost the ability to transfer information from these systems to its database system. He said he hoped it would be possible to quickly identify the nature of the incident and restore systems quickly.

The incident highlights the opportunistic nature of cyber criminal groups and their willingness to demonstrate utter callousness in targeting hospitals on the front line of the fight against the coronavirus.

“Healthcare workers or administrative staff are low-hanging fruit for today’s opportunistic hackers,” said Jake Olcott, vice-president of government affairs at risk management firm BitSight. “As they seek answers to important questions in a time of crisis, these employees may be susceptible to a hoax email that appears to come from a trusted government body. This is hugely problematic for healthcare companies that are already struggling to reduce cyber security risk.

“In far too many situations, healthcare companies wait until a breach or a cyber event has taken place to take action and respond to potential risk. At that point, it’s too late to do anything more than clean up the mess they’ve got into.

“Instead, they need to get one step ahead of that threat by reducing vulnerabilities in their security infrastructure and continuously monitoring it to alert them should any security gaps or risks arise.”

Ilia Kolochenko, founder and CEO of web security specialist ImmuniWeb, said that even experienced cyber security professionals could be taken in by a well-crafted phishing email that plays on fear and emotion.

“The more emotions and personal matters the attackers leverage, the more successful their campaigns will likely be,” he said. “The human factor remains the most burdensome to mitigate by technical means among the wide spectrum of organisational cyber risks, and the Covid-19 connection makes victims particularly susceptible to thoughtless actions.

“Organisations should urgently consider implementing and promulgating a clear, centralised and consistent internal process to communicate all the events and precautions related to the coronavirus pandemic. Corporate cyber security and security awareness should constitute an invaluable part of such communications, as cyber criminals are profiteering from obscurity and uncertainty.”

Up to now, as reported by Computer Weekly, most security incidents linked to the coronavirus have taken the form of online fraud and scams, disinformation and conspiracy theories, and hoax emails – phishing campaigns targeting victims with apparently legitimate information.

However, security professionals should anticipate that cyber criminals will seize the opportunity to conduct targeted and disruptive attacks as the spread of the coronavirus lays bare wider vulnerabilities in affected societies.

As an example, Marc Wilczek, chief operating officer at Link11, a supplier of cyber resilience services, said his security operations centre (SOC) had defended more than 2,860 hours of distributed denial of service (DDoS) attacks in the three weeks from 17 February to 9 March – up 30% year-on-year.

While it is not possible, or necessarily wise, to pin this uptick on the coronavirus, Wilczek said: “It highlights how vulnerable organisations are as they quickly implement large-scale remote working for their staff. Cyber criminals could try to further take advantage of the situation.”

He warned that traditional on-premise DDoS defences and load balancing technology would not necessarily adequately protect organisations with distributed workforces from large-scale DDoS attacks.

Meanwhile, Recorded Future’s Insikt threat research group claims it has identified cases of nation states appropriating the coronavirus for their own purposes.

The researchers found a .rar file purportedly containing statements on the coronavirus from the Vietnamese government being used to spread malicious executables that, when opened, communicate with command and control (C2) servers linked to Mustang Panda, a Chinese-linked advanced persistent threat (APT) group.

They also claimed that the health ministry of Iran – one of the countries that has been hit hardest to date – had advised people to download a specific Android application that was supposed to help people monitor for coronavirus symptoms, but was in fact a piece of spyware that gathers data on its target’s location and movement. Insikt alleged that the application is being distributed on a website created by the Iranian government itself.