/ en Mon, 28 Apr 2025 03:12:19 -0500 Wed, 20 Nov 24 14:59:16 -0600 /news/headline/2024-11-20-doj-russian-national-charged-cybercrimes-ransomware-attacks-hospitals-other-entities <p>The Department of Justice Nov. 18 <a href="https://www.justice.gov/opa/pr/phobos-ransomware-administrator-extradited-south-korea-face-cybercrime-charges">announced</a> criminal charges against Evgenii Ptitsyn, a Russian national, for allegedly administering the sale, distribution and operation of Phobos ransomware. The ransomware group targeted more than 1,000 public and private entities globally, extorting ransom payments of more than $16 million, according to the DOJ. Phobos is accused of hacking into hospitals, schools and nonprofits, among other entities.   <br>  <br>Ptitsyn and co-conspirators are accused of developing Phobos ransomware and offering it to criminal affiliates who would use it to encrypt victims' data and extort payments in exchange for decryption keys. They also operated a darknet website to advertise their services to criminal affiliates on criminal forums and messaging platforms, DOJ said.<br> <br>"This combined law enforcement operation led by the FBI and assisted by allied nations and, notably, the U.S. Department of Defense Cyber Crime Center is a big win for the 'good guys,'" said John Riggi, AHA national advisor for cybersecurity and risk. "The Phobos ransomware-as-a-service organization conducted multiple attacks against U.S. hospitals that disrupted patient care and posed a risk to patient and community safety. Sustained enforcement operations such as this are crucial for deterrence purposes and to degrade the capability of foreign cyber terrorists to attack U.S. health care. It is also vital for U.S. health care and all ransomware victims to continue timely and robust cooperation with federal agencies to enable such operations." <br>  <br>For more information on this or other cyber and risk issues, contact Riggi at <a href="mailto:jriggi@aha.org">jriggi@aha.org</a>. For the latest cyber and risk resources and threat intelligence, visit <a href="/cybersecurity">aha.org/cybersecurity</a>.</p> Wed, 20 Nov 2024 14:59:16 -0600 Russian Cybersecurity Threats /news/headline/2024-11-13-un-security-council-meeting-discusses-impact-ransomware-attacks-hospitals <p>A United Nations Security Council <a href="https://news.un.org/en/story/2024/11/1156751">meeting</a> the week of Nov. 4 discussed ransomware and the severe impacts that cyberattacks can have on hospitals and health systems. During the meeting, Eduardo Conrado, president of Ascension Healthcare, shared insights from a cyberattack in May that disrupted operations across the health system's 120 hospitals. The attack encrypted thousands of computer systems and made electronic health records inaccessible. It also affected key diagnostic services, including magnetic resonance imaging and computed tomography scans. <br> <br>Among the challenges, "nurses were unable to look up patient records from their computer stations and were forced to comb through paper back-ups… imaging teams were unable to quickly send the latest scans up to surgeons waiting in the operating rooms, and we had to rely on runners to deliver printed copies of the scans to the hands of our surgery teams," Conrado said. It took 37 days for the organization to restore operations. <br> <br>"We applaud the willingness and courage of Ascension and their president, Eduardo Conrado, to come forward to speak out about their ransomware attack and the disruptive effects the attack had on patient care, ultimately posing a risk to patient safety," said John Riggi, AHA national advisor of cybersecurity and risk. "As we have been loudly advocating for years, these cross-border ransomware attacks are conducted by ransomware gangs who enjoy safe harbor provided primarily by Russia, China, North Korea and Iran. It is an international threat that can only be solved through international cooperation and a will from aligned nations to effectively increase risk and consequences for those who commit and support these despicable acts." <br> <br>Anne Neuberger, coordinator for U.S. national security policy on cyber and emerging technologies, discussed the scale of ransomware threats in the health sector, citing over 1,500 incidents across the country in 2023. The threats totaled $1.1 billion in payments. Neuberger said that these incidents will continue, "as long as ransoms are being paid and criminals can evade capture, particularly by fleeing across borders." <br> <br>For more information on this or other cyber and risk issues, contact Riggi at <a href="mailto:jriggi@aha.org">jriggi@aha.org</a>. For the latest cyber and risk resources and threat intelligence, visit <a href="/cybersecurity">aha.org/cybersecurity</a>.</p> Wed, 13 Nov 2024 15:09:12 -0600 Russian Cybersecurity Threats /news/headline/2024-08-30-agencies-alert-health-sector-iranian-and-russian-cyber-threats <p>The FBI, Cybersecurity and Infrastructure Agency and the Department of Defense Cyber Crime Center Aug. 29 <a href="https://www.cisa.gov/news-events/alerts/2024/08/28/cisa-and-partners-release-advisory-iran-based-cyber-actors-enabling-ransomware-attacks-us">issued</a> a joint advisory to warn of Iranian-based cyber actors leveraging unauthorized network access to U.S. organizations, including health care organizations, to facilitate, execute and profit from future ransomware attacks by apparently Russian-affiliated ransomware gangs. The Iranian group, which is associated with the Government of Iran, has conducted a high volume of cyberattack attempts on U.S. organizations since 2017 and as recently as August 2024. Based on an FBI assessment, the cyber actors obtain network access for espionage reasons then collaborate with ransomware groups, including the notorious Russian-linked ransomware groups <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a">RansomHub</a> and APLHV aka <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a">BlackCat</a>, to execute ransomware attacks against the espionage target. BlackCat was responsible for the 2024 Change Healthcare ransomware attack, the largest and most consequential cyberattack in U.S. history. The advisory does not indicate if the Iranian actors had any role in the Change Healthcare attack but does state that the Iranian group’s ransomware activities are not likely sanctioned by the Government of Iran.</p><p>The joint advisory provides tactics, techniques, procedures, and indicators of compromise obtained from FBI investigations and third-party reporting. The federal agencies urge organizations to apply the recommendations in the mitigations section of the advisory to reduce the likelihood of compromise from these Iranian-based cyber actors and other ransomware attacks.</p><p>“This alert demonstrates the close ‘international cooperation’ between hackers to exploit cyber espionage campaigns for criminal profit,” said John Riggi, AHA national advisor for cybersecurity and risk. “This alert also demonstrates the nation-state level sophistication and expertise of the ransomware groups that target U.S. health care. No health care organization, regardless of their cybersecurity preparedness, can be expected to fully defend against a group of nation-state-trained hackers collaborating with sophisticated ransomware gangs. Clearly, the initial access leading to a subsequent ransomware attack, sanctioned or not, is state-sponsored. We strongly encourage the U.S. government to treat these attacks as national security threats, by policy and action, and impose significant risk and consequences on our cyber adversaries. Offense is the best defense.”</p><p>Although there is no specific threat information at this time, the field is reminded to remain especially vigilant over the holiday weekend, as we have historically seen increased targeting of health care around the holidays.</p><p>For more information on this or other cyber and risk issues, contact Riggi at j<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a">riggi@aha.org</a>. For the latest cyber threat intelligence and resources, visit <a href="https://aha.org/cybersecurity">aha.org/cybersecurity</a>.  <br> </p> Fri, 30 Aug 2024 08:48:03 -0500 Russian Cybersecurity Threats /news/headline/2024-05-09-doj-charges-russian-national-developing-operating-lockbit-ransomware <p>The Department of Justice May 7 <a href="https://www.justice.gov/opa/pr/us-charges-russian-national-developing-and-operating-lockbit-ransomware">announced</a> more than two dozen criminal charges against Dimitry Yuryevich Khoroshev, 31, of Voronezh, Russia, for his alleged role as the creator, developer and administrator of the LockBit ransomware group. According to the 26-count <a href="https://www.justice.gov/opa/media/1350921/dl?inline">indictment</a> and other records previously unsealed by the U.S. District Court of New Jersey, Khoroshev and coconspirators grew LockBit into what was, at times, the most active and destructive ransomware variant in the world. </p><p>LockBit's victims included hospitals, individuals, small businesses, multinational corporations, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies. The group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the U.S., and extracted at least $500 million in ransom payments from victims. The cyberattacks caused billions of dollars in broader losses such as revenue, incident response and recovery. </p><p>"The combined efforts by the DOJ, FBI, Treasury and State departments to dismantle and disrupt the notorious and dangerous LockBit ransomware group should be congratulated," said John Riggi, AHA's national advisor for cybersecurity and risk. "Protected cooperation from the victims of LockBit was no doubt essential in the government’s efforts. As we see high-impact ransomware attacks against health care continue to disrupt patient care and pose a broad risk to patient and community safety, it has become clear that any defensive cyber measures imposed upon hospitals must be accompanied by an equally aggressive and sustained offensive strategy by the U.S. government to combat this ongoing and unresolved national security threat. These attacks should be aggressively pursued and prosecuted as such by the federal government. We use the term 'prosecuted' in all senses of the definition related to the totality of the government’s capabilities and authorities, including intelligence and military authorities.” </p><p>For more information on this or other cybersecurity and risk issues, contact Riggi at <a href="mailto:jriggi@aha.org">jriggi@aha.org</a>. For the latest cyber threat intelligence and resources visit <a href="/cybersecurity">www.aha.org/cybersecurity</a>.</p> Thu, 09 May 2024 14:58:52 -0500 Russian Cybersecurity Threats /news/headline/2024-02-27-agencies-recommend-action-prevent-compromise-through-routers-cloud-environment <p>Russian state-sponsored cyber actors are using compromised Ubiquiti EdgeRouters to facilitate malicious cyber operations worldwide, the FBI and other agencies <a href="/2024-02-27-russian-cyber-actors-use-compromise-d-routers-facilitate-cyber-operations" target="_blank">warned</a> Feb. 27. In addition, the National Security Agency and other federal and international agencies Feb. 26 released an <a href="/other-cybersecurity-reports/2024-02-27-advisory-svr-cyber-actors-adapt-tactics-initial-cloud-access" target="_blank">advisory</a> to help organizations detect and defend against cyberattacks to the cloud environment by the APT29 group, a cyber-espionage group associated with Russian intelligence services.</p><p>“These alerts, which came in rapid succession, clearly demonstrate that the health care sector, like all critical infrastructure sectors, face cyberattacks not only from international criminal organizations, but from hostile foreign intelligence services,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “In one instance we have the Russian foreign intelligence services conducting highly sophisticated cyberattacks targeting mission-critical cloud-based services. The second alert describes the Russian military intelligence services conducting complex attacks against network EdgeRouters. The sophistication level and complexity of these cyber threats clearly demonstrate that cybersecurity requirements in a business associate agreement alone are insufficient leverage for hospitals and health systems to mitigate the unrelenting cyber risk exposure we face through third-party technology and service providers. A combination of secure-by-design principles strictly adhered to by software and technology developers, defensive measures and sustained offensive cyber operations by the government are needed to degrade the capabilities of our cyber adversaries. It is recommended that the mitigation practices outlined in these alerts be implemented as soon as feasible in combination with enhanced third-party risk management programs.”</p><p>For more information on this or other cyber and risk issues, contact Riggi at <a href="mailto:jriggi@aha.org" target="_blank">jriggi@aha.org</a>. For the latest cyber and risk resources and threat intelligence, visit <a href="/cybersecurity" target="_blank">aha.org/cybersecurity</a>.</p> Tue, 27 Feb 2024 15:28:04 -0600 Russian Cybersecurity Threats /news/headline/2023-12-12-agencies-issue-memory-safe-programming-guidance-spear-phishing-update <p>In new <a href="/cybersecurity-government-intelligence-reports/2023-12-08-tlp-clear-case-memory-safe-roadmaps">guidance</a> for software manufacturers, cybersecurity agencies in the U.S. and United Kingdom urge every software manufacturer to implement memory safe programming languages (MSLs) and publish a roadmap that details how they will eliminate MSL vulnerabilities in their products.  <br> <br>In other news, the agencies recently recommended <a href="/cybersecurity-government-intelligence-reports/2023-12-08-national-cyber-security-centre-advisory-russian-fsb-cyber-actor-star">actions</a>  to defend against Star Blizzard, a Russia-based threat that continues to target organizations and individuals with spear-phishing campaigns. <br> <br>John Riggi, AHA’s national advisor for cybersecurity and risk, said the MSL resource “will assist organizations to design technology that incorporates the cybersecurity principles of ‘secure by design, secure by default.’ This is important for health care, as a significant portion of cyber risk we are exposed to originates from third-party technology that contains an unacceptable level of technical vulnerabilities. The Star Blizzard alert highlights the collusion that often occurs between Russian intelligence services and Russia-based cyber criminal groups, making these threats very formidable to defend against by an individual hospital and health system. This threat also highlights the need for health care to continue to exchange cyber threat information with the federal government to enable their cyber offensive operations to disrupt these threats.”   <br> <br>For more information on this or other cyber and risk issues, contact Riggi at <a href="mailto:jriggi@aha.org">jriggi@aha.org</a>. For the latest cyber and risk resources and threat intelligence, visit <a href="/cybersecurity">aha.org/cybersecurity</a>.</p> Tue, 12 Dec 2023 14:42:18 -0600 Russian Cybersecurity Threats /news/headline/2023-12-04-russian-national-pleads-guilty-role-ransomware-attacks <p>A Russian national Dec. 4 pleaded guilty to his role in developing and deploying a suite of malware tools known as Trickbot, used to launch ransomware attacks against American hospitals and other businesses, the Department of Justice <a href="https://www.justice.gov/opa/pr/russian-national-pleads-guilty-trickbot-malware-conspiracy">announced</a>.</p> <p>“Combating bad actors in cyberspace is a team sport, and we are proud of the collaboration and coordination at the international level that went into today’s plea,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division.</p> <p>John Riggi, AHA’s national advisor for cybersecurity and risk, said, “In a time when most cyber news is about the latest threat or attack, we applaud this win for the ‘good guys.’ The combined efforts of the FBI, Department of Justice and international partners have brought to justice this notorious cybercriminal who facilitated ransomware attacks against American hospitals and health systems, disrupting care delivery and risking patient safety. This win highlights the need for ransomware victim hospitals to cooperate with the FBI and other federal agencies to aid in investigative efforts and to gather cyber threat intelligence to prevent future attacks.”  </p> <p>For more information on this or other cyber and risk issues, contact Riggi at <a href="http://jriggi@aha.org">jriggi@aha.org</a>. For the latest cyber and risk resources and threat intelligence, visit <a href="/cybersecurity">aha.org/cybersecurity</a>. <br />  </p> Mon, 04 Dec 2023 14:40:38 -0600 Russian Cybersecurity Threats /news/headline/2023-09-07-us-sanctions-cyber-gang-targeting-hospitals <p>The U.S. Treasury Department, in coordination with the United Kingdom, Sept. 7 <a href="https://home.treasury.gov/news/press-releases/jy1714">sanctioned</a> 11 individuals who are part of the Russia-based Trickbot cybercrime group, whose targets have included hospitals and other critical infrastructure organizations. The Department of Justice also unsealed indictments against nine individuals in connection with Trickbot malware and Conti ransomware, including seven of the sanctioned individuals. According to the agencies, the Trickbot group in 2020 launched a wave of ransomware disruptions against U.S. hospitals and health care facilities, in one case deploying ransomware that disrupted computer networks and telephones at three Minnesota facilities and caused them to divert ambulances.  <br />  <br /> “The United States is resolute in our efforts to combat ransomware and respond to disruptions of our critical infrastructure,” said Under Secretary of the Treasury Brian Nelson. “In close coordination with our British partners, the United States will continue to leverage our collective tools and authorities to target these malicious cyber activities.”<br />  <br /> John Riggi, AHA’s national director for cybersecurity and risk, said, “We are highly encouraged to see the combined forces and offensive cyber capabilities of the U.S. and U.K. governments being leveraged to target these Russian state-supported ransomware gangs. It has become clear that we cannot rely solely on defense measures to mitigate the threat of ransomware. Disruption of the ransomware perpetrators and their finances on an ongoing basis is essential to mitigate the threat of ‘cyber terrorism.’ When hospitals are attacked, lives are threatened.” <br />  <br /> For more information on this and other cyber and risk issues, contact Riggi at <a href="http://jriggi@aha.org">jriggi@aha.org</a>. For the latest cyber and risk resources and threat intelligence, visit <a href="http://aha.org/cybersecurity">aha.org/cybersecurity</a>.</p> Thu, 07 Sep 2023 15:01:17 -0500 Russian Cybersecurity Threats /news/headline/2023-02-28-hhs-releases-update-ransomware-threat-health-care-sector <p>The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) Friday <a href="/h-isac-green-reports/2023-02-28-hc3-analyst-note-tlp-clear-medusalocker-ransomware-february-24-2023" target="_blank">alerted</a> the sector to the latest tactics used to launch MedusaLocker ransomware attacks.<br />  <br /> “MedusaLocker is another example of a Russia-based ransomware gang targeting U.S. health care and risking patient safety,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “Although phishing emails play a significant role in delivering the ransomware into the organization, HC3 notes that this group, like other ransomware gangs, is increasing exploiting remote desktop protocol (RDP) vulnerabilities for initial access. The advisory recommends that organizations not expose RDP to the internet and put in place the recommended mitigations.”<br />  <br /> For more information on this or other cyber and risk issues, contact Riggi at <a href="mailto:jriggi@aha.org">jriggi@aha.org</a>. For the latest cyber and risk resources and threat intelligence, visit <a href="/cybersecurity">aha.org/cybersecurity</a>.</p> Tue, 28 Feb 2023 15:09:29 -0600 Russian Cybersecurity Threats /2022-06-10-hc3-tlp-white-major-cyber-organizations-russian-intelligence-services <div class="container row"> <div class="row"> <div class="col-md-8"> <h4>Agenda:</h4> <p>This presentation will examine the malware Emotet, and what makes it a significant threat to the health sector.</p> <ul> <li>Russian Intelligence Services’ Structure</li> <li>Russian Intelligence Services’ Mandates</li> <li>Turla</li> <li>APT29</li> <li>Sandworm</li> <li>Conclusion</li> <li>Questions</li> </ul> <p>This product is also available on HC3's website <a href="https://www.hhs.gov/sites/default/files/major-cyber-organizations-of-russian-intelligence-services.pdf" target="_blank">here</a>.</p> <p>Please see the attached Threat Brief: <strong>Major Cyber Organizations of Russian Intelligence Services</strong>.</p> </div> <div class="col-md-4"> <div> <p><strong>For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:</strong></p> <h3><a href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf">John Riggi</a></h3> <h4>National Advisor for Cybersecurity and Risk, AHA</h4> <h4><a href="mailto:jriggi@aha.org?subject=Cybersecurity and Risk Advisory Services Query">jriggi@aha.org</a></h4> <h4>(O) <a href="tel:1-202-626-2272">+1 202 626 2272</a></h4> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/system/files/media/file/2020/11/AHA-Riggi-Senior-Advisor-for-Cyber-and-Risk-Bio-08102020.pdf" target="_blank">More on John Riggi</a></div> <div class="external-link spacer"><a class="btn btn-wide btn-primary" href="/guidesreports/2018-06-15-cybersecurity-and-risk-advisory-services" target="_blank">Learn more about AHA's Cybersecurity and Risk Advisory Services</a></div> </div> </div> </div> </div> Thu, 19 May 2022 13:12:45 -0500 Russian Cybersecurity Threats