There are Still Things We Can Learn from the UnitedHealth Incident

Although it might seem like rehashing things about the UnitedHealth ransomware event is a bit out of touch and old news, there are still some things that apply today. The attack took place back in February and was quickly attributed to the Blackcat (AlphV) ransomware group. The attack had some significant ripple effects across the US healthcare landscape. This is in part due to how US healthcare companies have been allowed to be acquired and subsumed under a single umbrella and the way Blackcat attacked UnitedHealth’s subsidiary Change Healthcare.

So why talk in May, about something that happened in February (other than companies are still not learning the lesson)? Well, there are a few reasons, but the most relevant one is the resumed topic of “hacking back” which has popped up over the last couple of days. In this context hacking back is identifying and attacking threat group infrastructure and systems to eliminate or reduce their effectiveness. The FBI had conducted a similar operation on AlphV in December with a take down notice posted on the AlphV site. This takedown was and still is a good thing as it did disrupt the organization and allowed the FBI’s technical team to develop a decryptor (which had its own challenges). However, because there was no direct action against the people behind the AlphV group, this seemed to get them (AlphV) rather annoyed, and they announced that previously taboo targets (like Healthcare and Hospitals) were now allowed.

The AlphV group took a little bit of time to gather their resources, made some announcements to affiliates and went back to work. Soon after this we started to see increased focus on healthcare. Now, don’t misunderstand, healthcare and hospitals have always been targets to some degree or another. They often make a lot of money, have outdated or insufficient security measures and all too often do not have good backups to restore in the event of an encryption event. That being said, some of the ODC (Ordinary Decent Criminal) organizations do restrict their affiliates from going after those types of organizations. Now, the gloves were off.

I am not going to go into a terrible amount of detail of the actual event other than to say it had significant impacts in the real world outside of cyberspace. People could not get prescriptions, people had problems getting care, etc. It was (to quote Egon from Ghostbusters) Bad.

In this scenario we see an unfortunate side effect of direct action against attacker infrastructure without any ability to put the people behind it at risk. They are resilient in many ways due to the protections they receive from their home country. So, instead of being afraid, they come back annoyed and now look for a bit of revenge. Despite this, disruption of infrastructure is still a good thing as is publicly identifying the people behind these groups including affiliates. As Ariel Parnes, COO and Co-Founder at Mitiga said "In the fight against cybercrime, the state holds a critical position, employing national capabilities like intelligence, law enforcement, and international collaboration to shield against digital threats. Recently, we have seen the use of offensive cyber tactics as part of the arsenal, aiming to damage criminals' cyber capabilities and prevent their criminal activities. This method was highlighted in the disruption of the BlackCat ransomware by the FBI, which unfortunately led to the group intensifying their operations, as shown in their recent attack on UnitedHealth's tech unit.

These cybercrime groups are resilient, often lacking a central vulnerability, which allows them to swiftly recover from attacks. Despite this, the emergence of such action-reaction dynamics in cyber confrontations should not dissuade nations from utilizing their defensive capabilities. A more effective approach involves a multidimensional, international campaign. This strategy should integrate offensive cyber countermeasures with traditional tools of national power, fostering a collective defense against cyber threats. Emphasizing cooperation and comprehensive efforts, this approach is pivotal for a robust defense against the evolving landscape of cybercrime."

Now that does not mean this should be the wild west and any organization who is attacked can just “hack back”. This means that coordinated efforts which are weight against based on risk vs reward should be supported and continue. These efforts include law enforcement organized security research and prevention companies (who directly coordinate with law enforcement) and other groups including government affiliated organizations.

As I was just talking about on X, the mid set and skill set needed for offensive operations is very different than what you generally are looking for in defenders (which can create its own problem), and while offensive techniques are not exactly rocket science, you would not want to hire a “skid” to work in your environment doing defensive work, or let them think they had company authority to attack back.

Now we have LockBitSupp identified and new notices going up around the LockBit ransomware group including a list of affiliates. This was obtained through direct “hack back” actions by the FBI and likely other organizations. We have a name, Dmitry Yuryevich Khoroshev. Yet once again he will be protected inside his host country. Will we see a repeat of AlphV, with a return in a few months targeting more sensitive services? We could and probably will. Even with that prospect 100% agree with disruption activities and believe they do more good than harm. The downside is that far too many organizations do not recognize them for what they are: a breather.

You now have time to get your house in order so you can be more protected when they do reemerge. Don’t applaud and then head for the door thinking you are going to have a smooth drive home. Take the win (which it is) and prepare for the next round.

Until direct interdiction in the real world is a thing, Cyberspace activities are nothing more than harassing and temporarily disruptive to threat groups. Despite them being a good thing, they are just the attackers’ version of a business continuity or disaster recovery exercise. UnitedHealth is an excellent lesson for this and, if we go back in time, you can find more and more examples which we, as a collective, have not taken to heart. I would like to see that change. Organizations need to start learning the actual lessons from what is happening in cyberspace instead of burying their heads in the sand and thinking, this won’t happen to me, or that a group is gone when they are disrupted.

Ok, Soapbox put away, for now

No comments

Leave your comment

In reply to Some User