U.S. Health Agency Suffers Cyber-Attack – Expert Reaction

The U.S. Health and Human Services Department suffered a cyber-attack on its computer system, aimed at undermining the response to the coronavirus pandemic.

Notify of

6 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Greg Wendt
Greg Wendt , Executive Director
InfoSec Expert
March 17, 2020 9:59 am

As organizations and government entities rush to adjust to a new remote work culture amid the coronavirus pandemic, they must first consider how they will effectively maintain secure user authentication and data security. After all, telecommuting means perimeter firewalls and corporate networks are not leveraged as originally intended.

What’s more, government institutions such as the HHS are key targets for cyberattacks and given that the government has many applications and systems that were written and developed 35-40 years ago, the process to modernize and transform the critical nature of data is a lengthy one and not a process that can be successfully done overnight.

As organizations rapidly transition to a telecommuting work culture and push too fast to get all employees up and running remotely, new threat vectors across the entire IT environment will arise and result in an uptick in breaches such as this of HHS. A number of research firms, such as FireEye and Recorded Future, have already sited seeing an increase in breaches.

To remain secure, companies must layer authentication and monitor their internal as well as external systems. A dynamic security strategy would identify access from users coming from unknown networks or foreign countries, and when Multi-Factor Authentication (MFA) is applied, an organization will be able to significantly enhance its security with additional user authentication requirements – both at login and inside the application. Even if a hacker is able to gain login credentials, with MFA, they will have to go through a stepped-up challenge if they want to actually execute a business-critical transaction. In addition, anyone granted access must be monitored by location, device and context of access so that suspicious and unusual activity can be noticed and identified immediately. Furthermore, with Zero Trust, companies are able to monitor all the assets and the authentication of every user before any access is granted.

By monitoring who is accessing highly sensitive data, and by authenticating access from outside devices (VPN, phone) as well as authenticating from the inside of the IT environment, organizations can proactively prevent unauthorized access.

Last edited 2 years ago by Greg Wendt
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
March 17, 2020 10:01 am

Here\’s why the reported breach of the Dept of Health and Human Services is horrendous. Damage like this at this time is not “white hat” or even “grey hat.” It’s dark as dark. It’s as bad as stealing generators, gas or food in a time of natural disaster. What breaches like this do is accelerate the virus potentially by making measures and controls not reach the people that need them. That means that this could directly lead to deaths. Hacks lead to misinformation campaigns and a lot of pain for people. This breach is effectively an attack on the United States government and every citizen. DO NOT HACK FOR ANY REASON RIGHT NOW: not politics, not profit. If martial law comes down, frontier justice can be nasty.

Overall, this looks like this breach could be the result of a DDoS attack, which means the DHHS should immediately work with their ISPs to ensure redundant bandwidth. Organisations such as DHHS, CDC, WHO, NIH, etc., should also identify critical apps and assure a content delivery network to handle volume too on the application layer if they haven’t already done so. If they have that in place and were still breached, they reach out to their ISP and assure that they are priority 1 when attacks happen — they need to be operational more than other competing applications. And they should immediately try to understand why this breach happened to try to predict where the next attack will occur. If this was a DDoS attack, the good news is that this is a sledgehammer and this attacker (not others) probably doesn’t have any finer tools to use right now.

Last edited 2 years ago by Sam Curry
Kevin Bocek
Kevin Bocek , VP Security Strategy & Threat Intelligence
InfoSec Expert
March 17, 2020 10:04 am

The attack on US Health & Human Services department is a clear sign that we’ll soon face a cyber attack crisis in addition to the coronavirus pandemic. Attackers of all types – from cybercriminals seeking profits to terrorists and other seeking disruption, and even nation-states will seek to hit their targets when they are distracted, striking when governments and businesses have their hands full of the pandemic response. Every organisation, from governments and banks to payment providers, retailers or manufacturers must be on high alert for cyberattacks. Now is not the time to consider cybersecurity optional. While the business environment at the moment is challenging, a cyber attack can still be a knock out blow for businesses and governments not focusing on the threat.

It’s particularly worrying as the race for digital transformation, DevOps, and cloud use increases, and the automated machine and software-driven process become increasingly vulnerable. We’ve seen hackers make use of persistent back doors using SSH machine identities in high-profile cases such as the attack on the Ukrainian power grid, or attackers hiding in encrypted traffic to breach Equifax because of expired TLS certificates, both of which are risks because of the cloud-based, automated, remote working world that business is adopting. Security teams need to move quickly for the visibility, intelligence, and automation needed to protect machine identities and manage these threats.

Last edited 2 years ago by Kevin Bocek
Erich Kron
Erich Kron , Security Awareness Advocate
InfoSec Expert
March 17, 2020 10:06 am

The current situation with the COVID-19 pandemic is already stretching resources thin, and attacks such as this are unfortunately not unexpected. This is an example of the fact that we can expect cyber attacks to occur during times of heightened emotions and significant changes within the workforce, especially as commercial and government workers look at working from home. Any time there are changes like this, especially during times of heightened fear and emotions, the risks of attacks being successful greatly increases.

The U.S. government needs to prepare for these types of issues and be ready to respond quickly when they occur. In addition, the government and large social media organizations need to be prepared to respond to misinformation and false, fear inducing posts as quickly as possible. Like it or not, social media is where a lot of Americans get their news and these providers have a responsibility to reduce panic caused by adversaries trying to spread false information.

Last edited 2 years ago by Erich Kron
Adam Laub
Adam Laub , CMO
InfoSec Expert
March 17, 2020 10:14 am

We’d like to think that in a world where everyone is effectively in the same boat, a sense of togetherness, an unwritten code of conduct, or even a sense of morality would prevent bad actors from doing bad things – even if just temporarily. This obviously is not the case and if anything should serve as a reminder to organizations that one threat hasn’t been traded for another. To the contrary, individuals and groups that prey on the weak will likely look to take advantage of this dire situation, causing more disruption to organizations already reeling from the financial distress, business disruption, and human resource nightmare the coronavirus pandemic has inflicted in just a short period of time.

What’s particularly disturbing about this latest incident at the U.S. Health and Human Services Department is that the intent of the attack appears to be driven entirely by malice, seeking only to prevent the men and women trying desperately to protect millions of American citizens from harm from doing their jobs, as well as spread false information in order to generate more panic and uncertainty. No mention of stolen data or compromised credentials. Just DDoS style attacks aimed at bringing down critical infrastructure. It’s among the more cowardly acts we’ve seen lately, especially when compared to the heroic efforts of scientists, doctors, nurses, law enforcement and other front-liners across the world.

Last edited 2 years ago by Adam Laub
Vahid Behzadan
Vahid Behzadan , Ph.D, Assistant Professor
InfoSec Expert
March 18, 2020 1:26 pm

It appears that a Distributed Denial of Service (DDoS) attack was launched against the HHS web infrastructure. These attacks aim to overload their targets and slow down their operational capacities. The attack occurred around the time when a disinformation campaign was started to disseminate false information about a country-wide lockdown due to COVID-19. Some have speculated that the DDoS attack might have aimed to slow down the response of HHS and CDC to this campaign. The level of sophistication involved in this attack is low, and could have been the work of either activists or nation-state sponsored actors. Regardless of the motivations behind this attack, it serves as a warning for the potential of more sophisticated and coordinated attacks on official sources of information, which can lead to even more widespread chaos and economic damages in these fragile circumstances.

Last edited 2 years ago by Vahid Behzadan
Information Security Buzz
Would love your thoughts, please comment.x