Threat Story
In January 2022, a U.S. healthcare customer saw a malicious PowerShell script deployed on one of their internal servers. Darktrace DETECT/Network immediately detected unusual activity. Darktrace revealed that the script was hard coded to connect to a rare IP to create a ‘reverse shell’ session which, if successful, would have handed control to the threat actors. With a reverse shell, they could have issued remote commands, opening the network to further lateral movement, data exfiltration and malware deployment. Ultimately this was unsuccessful as Darktrace RESPOND/Network ensured the connections were blocked.
Darktrace’s Expert Analysis
The global healthcare sector has historically been characterized by high rates of technology obsolescence, and while recent years have seen a deliberate push within the industry to resolve these cyber security ‘black spots’, some regions have been faster than others in their digital transformation, and the sector remains a top target for data exfiltration attacks.
Exec Summary
Darktrace’s early indicator analysis[1] of the threats facing the healthcare sector over the last year paints a picture of a global healthcare sector that remains a top target for cyber-criminals who are particularly hungry for patient data.
Security teams remain over-stretched and under-resourced in the sector, particularly as the recovery from a global pandemic continues. Cyber attackers continue to target the sector because of its reputation for low cyber maturity, and its wealth of sensitive data stores. Attackers are not only seeking out protected health information (PHI) to conduct standard identity theft and extortion of victims but also seek access to prescriptions, and other medical services and even to file false insurance claims.
Data exfiltration is a common technique used in sophisticated ransomware attacks – an attack method renowned for its ability to cause disruption to normal operations. The prominence of data exfiltration in the healthcare sector indicates a high risk of said disruption, which can directly impact patient care, as well as the risk of significant financial loss for a sector that already runs on tight budgets.
In 2022 the UK and Australian healthcare sectors saw a notable rise in data exfiltration. In the U.S. healthcare sector, there was a decrease in data exfiltration threats, but the attack type remained in the top three most common malicious activities observed in the sector. Despite this, data exfiltration remained a significant challenge to the global healthcare sector in 2022.The Data
Darktrace’s ‘Unusual External Data Transfer’ indicators were the third most common threat detected in the UK, U.S., and Australia, after ‘Suspicious Network Scan’ and ‘Lateral Movement’ indicators. Even in the U.S. where the percentage of exfiltration threats seen in 2022 was less than in 2021, it remained the third most common indicator. ‘Suspicious Network Scan’ and ‘Lateral Movement’ are always expected to be the first and second most common indicators as they are the earliest actions a potential hacker takes to conduct any, and all, cyber-attacks. Essentially, they are attempting to find a way in, then establish a foothold by infecting more devices which is the bread and butter of most attacks. It’s what comes next that varies according to sector, threat type and environment and is therefore an important point of analysis.
If we take the ransomware attack deployed against Advanced Software Services to attack several NHS services including 111 in August 2022, as an example, the pathway becomes clear. Advanced’s report of the breach states: “[after gaining access through a third party], the attacker moved laterally in Advanced’s Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware. Immediately prior to encrypting systems, the threat actor copied and exfiltrated a limited amount of data.”
In this context, the below data, taken from Darktrace’s fleet, shows that both Australia and the U.K. are suffering from increasing proportions of exfiltration, while the U.S. healthcare sector is faring better than in 2021, but is still being burdened by data theft.
The U.S.
- The most observed Enhanced Monitoring model breach in the U.S. healthcare sector was Suspicious Network Scan Activity.
- The second most observed probable cyber incident in the U.S. healthcare sector was Multiple Lateral Movement Model Breaches.
- The third most observed probable cyber incident in the U.S. healthcare sector was Enhanced Unusual External Data Transfer. The proportion of data exfiltration indicators decreased by 34.19% in 2022 compared to 2021. Despite this decrease, these incidents still accounted for 12.51% of all incidents seen in the U.S. healthcare sector in 2022.
Australia
- The most observed Enhanced Monitoring model breach in the Australian healthcare sector was Suspicious Network Scan Activity, compared with the previous year when it was Multiple Lateral Movement Model Breaches.
- The second most observed probable cyber incident in the Australian healthcare sector for 2022 was Multiple Lateral Movement Model Breaches.
- The third most observed probable cyber incident in the Australian healthcare sector was Enhanced Unusual External Data Transfer. Data Exfiltration accounted for 1.42x more of all cyber incidents in the sector in 2022 compared to 2021.
The U.K.
- The most observed Enhanced Monitoring model breach in the UK healthcare sector was Suspicious Network Scan Activity.
- The second most observed probable cyber incident in the UK healthcare sector was Multiple Lateral Movement Model Breaches.
- The third most observed probable cyber incident in the UK healthcare sector was Enhanced Unusual External Data Transfer. Data Exfiltration accounted for 1.04x more of all cyber incidents in the sector in 2022 compared to 2021.
Differing levels of compromise indicators in different regions
Interestingly this year we saw a rise in the proportion of data exfiltration threat indicators in the UK healthcare sector, and a larger (more concerning) rise in Australian healthcare, but the U.S. has seen a reduction in the proportion of data exfiltration indicators compared with 2021. It is a difficult art to say exactly why the U.S. healthcare sector seems to be faring better than last year, but one factor could be the increasing cyber maturity of the U.S. healthcare sector.
It is important to note that exfiltration indicators still account for the third most frequent alerts seen by Darktrace in the U.S. healthcare sector, after Suspicious Network Scan Activity (34%); and Multiple Lateral Movement Model Breaches (22%). Network scans and lateral movement are always to be expected by the first and second most common indicators which our AI will flag because those are the first and second things that almost any potential attacker will start with. Network scans are carried out on almost every organization daily, as hackers look for any easy way in. Pentesters will also carry out network scanning as part of their work. Greater cyber maturity in the U.S. healthcare sector could well mean that potentially suspicious activity is being stopped in these early stages before any attempt at data exfiltration can be made.
MITRE ATT&CK Category: Exfiltration
“Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command-and-control channel or an alternate channel and may also include putting size limits on the transmission.”
About Darktrace
Darktrace (DARK.L), a global leader in cyber security artificial intelligence, delivers complete AI-powered solutions in its mission to free the world of cyber disruption. Breakthrough innovations from the Darktrace Cyber AI Research Centre in Cambridge, UK and its R&D center in The Hague, The Netherlands have resulted in over 125 patent applications filed and significant research published to contribute to the cyber security community. Darktrace’s technology continuously learns and updates its knowledge of 'you' for an organization and applies that understanding to achieve an optimal state of cyber security. It is delivering the first-ever Cyber AI Loop, fuelling a continuous end-to-end security capability that can autonomously prevent, detect, and respond to novel, in-progress threats in real-time. Darktrace employs over 2,200 people around the world and protects over 8,100 organizations globally from advanced cyber threats. It was named one of TIME magazine’s ‘Most Influential Companies’ in 2021.
[1] Darktrace’s data is developed by ‘early indicator analysis’ that looks at the breadcrumbs of potential cyber-attacks at several stages before they are attributed to any particular actor and before they escalate into a full-blown crisis.