January, 2024 Case Study.
Digijaks Group Response to 2023 Russian Cyberattack on a U.S. Based Plastic Surgery Center
Comprehensive Case Study: Coordinated Cybersecurity Incident in Plastic Surgery Centers
Background:
Digijaks Group, the subject matter expert incident response firm, played a pivotal role in addressing a highly sophisticated cyber-attack targeting U.S. based plastic surgery centers, doctors and patients. The assailants, who were a Russian government associated hacking crew; orchestrated the attacks from a network of anonymized servers in Eastern Europe. These servers were linked to both Proton Mail accounts and fake phone number WhatsApp accounts. This showcased a high level of sophistication and international coordination in their criminal hacking activities. The attack was multi-method using: a. social engineering; b. malware and exfiltration; and c. extra research on the victims. This allowed the hackers to execute a multi-tiered blackmail, extortion campaign against surgery centers, doctors and patients simultaneously.
Incident Overview:
Phase 1 – Spoofed Phishing Attack:
Utilizing advanced tactics such as phone number and email address spoofing, cybercriminals launched phishing attacks against plastic surgery offices. The primary aim was to infiltrate networks and deploy malware, tied with social engineering to exfiltrate mass amounts of data; ultimately compromising electronic protected health information (ePHI) and patient photographs and videos.
Phase 2 – Data Enhancement:
After successfully infiltrating the systems, the attackers engaged in open-source information gathering and social engineering techniques to enrich the harvested ePHI data. This comprehensive profiling included personal details and photographs of plastic surgery patients. It is also possible under the circumstance in this particular case that there was some sort of assistance or help from an insider, ie (an insider threat) who acted as a “shot-caller” and identifying key patients who would be susceptible themselves to blackmail and extortion.
Phase 3 – Extortion:
Employing various channels, including social media, emails, text messages, and messaging apps, the cybercriminals demanded ransom payments from plastic surgeons and patients. Threats of public disclosure of sensitive information and the creation of public-facing websites heightened the pressure on victims to comply with extortion demands.
Obfuscation Technique:
During the attack, the cybercriminals leveraged the obfuscation technique whereby they used the file name of “OneApp.IGCC.WinService” to obfuscate over 4000 executed permission escalations- to escalate permission privileges within the network. This technique, using a commonly tiny little file found on all Windows devices to hide another process, demonstrated the attackers’ adaptability and sophistication, aligning with the same technique utilized in the Mirai botnet obfuscation methods.
Social Engineering and Malware Delivery:
In a nuanced layer of the attack, the cybercriminals engaged in sophisticated social engineering. Masked phone calls were made *PRIOR* to any public release of information posing as relatives of patients, occurred before any data was ever known to have been exfiltrated. Additionally, these same kind of social engineering phone calls continued after the data was released, but often from people claiming to be someone other than the patient, and often before their information has actually been released. Simultaneously, the attackers masqueraded as the board of plastic surgery, in a further attempt at obtaining email addresses and delivering an initial malware payload via a receptionist’s email.
Timeline of Attack Stages:
– Initial malware payload delivery via the receptionist’s email.
– Dormant malware for approximately one month.
– Activation prompted by another email, likely disguised as legitimate.
– Permission obfuscation and escalation, enabling deeper network access.
– Exfiltration of sensitive data.
– Commencement of full-scale social engineering and ransom attacks 16 days later.
Additional Insights:
A. The attackers spent a minimum of six weeks within the network conducting reconnaissance and exfiltrating data before directly contacting the victim doctor for ransom.
B. The hackers targeted patients directly by posting sensitive Personally Identifiable Information (PII) and pictures from pre and post-operation procedures on a dedicated website. This site was designed to extort cryptocurrency-based ransoms from patients while simultaneously cross-extorting patients against the doctors.
C. The hackers, notably, did not lock the victim doctor out of the network but strategically exfiltrated a majority of patient records. These records were subsequently used on external extortion websites, showcasing a calculated and deliberate approach to maximize the impact of their actions.
Extended Intrusion:
Additionally, the attackers went beyond compromising patient data. They utilized personal information from the doctor’s cell phone and/or laptops to integrate details and pictures of the doctor into the mix of information being used in criminal blackmail and extortion.
Financial Implications:
Due to the daily fees imposed by regulators for HIPAA violations – broken down by each piece of PII, each patient, and each day the violations occur – the financial impact of this cyberattack is substantial. Potential fees can quickly accumulate to millions of dollars when both federal and state regulators are involved. This doesn’t account for the additional costs associated with legal representation – and the financial burden on insurers as well when the victim is insured.
Digijaks Group’s Response:
Engaged as the incident responder, Digijaks Group, LLC, executed a meticulous response strategy. This encompassed immediate containment, forensic analysis, and collaboration with law enforcement agencies. The firm also played a pivotal role in assisting the affected plastic surgery centers in implementing robust security measures to mitigate future incidents.
Outcome and Lessons Learned:
The collaborative efforts between Digijaks Group and the affected entities led to the successful containment of the incident. This case study emphasizes the imperative need for heightened cybersecurity measures within the healthcare sector, particularly for plastic surgery centers dealing with sensitive patient information and under constant HIPAA data and information constraints.
This comprehensive case study serves as a stark reminder of the evolving tactics employed by cybercriminals, underscoring the global imperative for collaboration and proactive cybersecurity measures in safeguarding sensitive healthcare information. The financial ramifications of HIPAA violations further underscore the critical need for comprehensive security strategies in the face of sophisticated cyber threats.
