Cyberattacks: A Battle Against a Nameless, Ever-changing Foe

The hacking of Singapore’s health system beginning in June is a reminder – as if one were needed – that, regardless of the degree of cybersecurity that may be deployed to try to prevent cyberattacks, if hackers want to target a person, business, or country, they can with virtual impunity. That the primary target of the attack was SingHealth’s medical records is consistent with the modus operandi of many previous attacks around the world.

Medical systems, hospitals, and doctor offices are the natural domain of many cyberattackers because they can obtain so much information in one place at one time – not only a person’s address and phone number, but also financial and extremely personal medical information. Given how serious some previous hacks into health systems have been elsewhere in the world, Singapore got off rather easily this time, but it will certainly not be the last time Singapore, or its Prime Minister, are targeted.

In May 2017, as part of the largest global ransomware attack ever experienced, hospitals across the UK were hit by a large-scale cyberattack; 39 hospital trusts as well as health practices and dental services in the National Health System were targeted across England and Scotland by spreading a virus through internal computer systems. Targets were sent an encrypted, compressed e-mail file that, once loaded, allowed the ransomware to infiltrate. Some doctors could not access patient files. Some emergency care patients had to be diverted to other facilities. Doctors throughout the country received ransom messages demanding money.

Entire hospitals had to be shut down as a result of an inability to operate essential systems. Some hospital administrators made the decision to shut down operations in an attempt to preserve any uninfected machines and systems. Phone calls could not be accepted nor prescriptions dispensed. A Bitcoin pop-up message appeared on some network screens, stating that important files had been encrypted and demanding that users pay $300 to be able to access their computers.

Since most medical devices do not have endpoint security software, such attacks often go undetected. In order to ensure success, the attackers may intentionally repackage and embed new, highly sophisticated tools and camouflage them. Once the attackers are inside a network, a variety of medical devices become easy targets. The challenge for healthcare providers is immense. Some medical care facilities have found it necessary to ‘clean’ (replace software, reload, or rebuild) multiple devices at the same time, to prevent them from being re-infected by another medical device that still contains malicious code.

In some cases, hospital staff have had to manage shutting down dozens (or even hundreds) of medical devices at the same time―a potentially catastrophic task that can result in the death of patients. Most of these organizations cannot detect such attacks until their systems are fully compromised. They may be unaware of ongoing data breaches, and they ordinarily lack an adequate strategy or the funding to identify the problem, remove the malware, or prevent it from happening again.

Last year’s WannaCry and Petya ransomware attacks were a wake-up call for how seemingly simple it is to breach cyber defenses and cause havoc on a global scale. In the Petya case, rather than attempt to hack individual businesses one at a time, the cyberattackers chose to penetrate the network of a small Ukrainian software firm (MeDoc), which sold a piece of accounting software used by approximately 80% of Ukraine’s businesses. In doing so, the hackers gained access to most of Ukraine’s businesses in a single act.

They first breached MeDoc by using its Virtual Private Network connections to other companies to plant ransomware on a variety of targets. By injecting a tweaked version of a file into updates of that software, they were able to start spreading backdoored versions of it weeks before Petya was deployed throughout Ukraine, injecting Petya through the MeDoc system’s entry points. In the process, innocent software updates were used to silently spread the malware.

Petya was ultimately intended to steal passwords and destroy data, rather than an attempt to generate revenue, and it was originally intended to attack Ukraine only and damage computers, but spun out of control. GoldenEye, the strain of the Petya virus responsible for that attack, eventually spread to Ukraine’s electrical grid, government offices, and airports before going global. While similar in its global orientation to WannaCry, unlike WannaCry, Petya had no kill switch, so it represented a much more insidious threat. Petya signaled the arrival of more “blended” types of cyberattacks (combining ransomware with “wiper” or other forms of attack), mixing elements of different threat vectors in new ways.

Software developers only know what it is they are supposed to be protecting against after a new form of malware has been deployed, identified, and a way is found to block it. An individual, business, or government can do everything they are supposed to be doing to establish a healthy level of cyber hygiene and it will usually still not be enough to prevent an attack. The sad truth is that if hackers want to target you, they can often do so at will, because no matter how good a cybersecurity system may be, hackers are often one step ahead of the programmers trying to protect information and assets. When state-sponsored attacks occur, the problem is only exacerbated, because they are often unleashed with military-grade precision and capability.

The best defense has been, and will remain, frequently changing strong passwords, updating protective software on a daily basis, and being properly educated about what not to do. The greatest source of virus infection occurs between the keyboard and the chair; it is each of us who may ultimately click on the wrong e-mail or attachment. We must all move cybersecurity from a back-burner issue to a front-burner issue in our homes and businesses, and practice preventive and effective cyber-hygiene every day.

Cyberattackers operate in an anonymous, borderless, and lawless world. Since they generally operate on the Dark Web, it is extremely difficult to identify them, and if they are identified and ever extradited, national and international laws are usually so far behind the curve that there is no meaningful way to prosecute them. Governments, businesses, and individuals must make cutting edge cybersecurity a priority, if they have not already done so. This is not someone else’s problem half a world away; it is on everyone’s doorstep and requires a consistent, devoted, permanent effort to combat the next cyberattack. It is coming. It is just a question of time when and where.

This article was originally posted in The Straits Times.