ISMG Editors: Does US Takedown Mark Hive Group's Demise?Also: Russian DDoS Attacks Target US Hospitals; Data Breach Reports Lack Details Anna Delaney (annamadeline) • February 3, 2023
In the latest weekly update, three editors at Information Security Media Group discuss important cybersecurity and privacy issues, including the lasting effects of the takedown of the Hive ransomware group, why the U.S. government is warning of a surge in Russian DDoS attacks on hospitals and why the lack of transparency in U.S. breach notices is creating more risk for consumers.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; and Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity - discuss:
- The announcement by the FBI and international partners about the takedown of one of the world's most prolific ransomware groups, Hive, and how that group may respond;
- Why the U.S. government and industry authorities are warning the healthcare sector of a surge in distributed denial-of-service attacks against hospitals and other medical entities instigated by Russian nuisance hacking group KillNet;
- Highlights from an interview with James Lee of the Identity Theft Resource Center about findings from its 2022 Annual Data Breach Report, which reveals a recent lack of transparency and failure to share important details in breach notices.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Jan. 20 edition, which discusses why ransomware group LockBit is so prolific, and the Jan. 27 edition, which considers why ransomware profits are dipping.
Anna Delaney: Hello, I'm Anna Delaney and thanks for joining us for the ISMG Editors' Panel, which does exactly what it says on the tin. ISMG editors meet on a panel to discuss the week's top cybersecurity news, interviews and trends. I'm very pleased to be joined this week by Marianne Kolbasuk McGee, executive editor of HealthcareInfoSecurity, and Mathew Schwartz, executive editor of DataBreachToday and Europe. Really good to see you both.
Marianne McGee: Hi, Anna. Hi, Matt.
Mathew Schwartz: It's great to be here. I didn't get the water memo. I feel a little left out.
Delaney: I know. I know you didn't, but I can't wait to hear about your background, Matt. Tell us more. I think I know actually.
Schwartz: Yes. Well, you may have heard discussed before. It's everyone's favorite museum in Dundee, the V&A, the Victoria and Albert design and fashion museum. It's a lovely edifice, is difficult to photograph. It's been a kind of personal obsession to try to figure out how to get this caption on film. And here, you can see just the cut through there to the river. So there is some water, I forgot. It's in this image so I don't feel so left out anymore.
Delaney: What I find incredible is comparing it to the London V&A, because London's building is quite ornate and I don't want to put a date on it. But let's just say it's old architecture and very beautiful. This is quirky and modern. It's quite a contrast. But you will have to come when you're in London. Marianne, you did get the water memo. So tell us more.
McGee: Yeah. I took this when we, my husband and I, were in Hilton Head, South Carolina, back in October. And as peaceful as this looks, there are alligators in this lagoon, and there's like signs everywhere saying, "Watch out for the alligators." So I thought it was appropriate because it's kind of like cybersecurity. Think you're having a good day, and then all of a sudden, there's an alligator.
Delaney: There's a bite. Yeah, very good analogy. Well, I'm at Painshill Park, not far from where I grew up. And it's an 18th century landscape garden with plenty of grottoes and, you know, water wheel and a vineyard so it's gorgeous. And yeah, well, I love it for its pure tranquility. You know, I'll get alligators or crocodiles here.
Schwartz: Just swans.
Delaney: Just swans. Quite violent at times. So I suppose like cybersecurity. Well, Matt, cheerful news again this week, perhaps. You've written that the FBI and international partners have announced the takedown of Hive infrastructure. Now, Hive, of course, one of the world's most prolific ransomware groups. And it's an interesting case because it seems an example of offensive ops. So pack in the hackers. Tell us more.
Schwartz: Yeah, I know. Any kind of disruption is really good news. Lots to be celebrated there. So last week, on Wednesday, apparently, Hive's sites went dark. So you can get to its sites via Tor based while using Tor. So they were Tor anonymizing web browser sites, .onion sites. They went dark. So, Thursday morning, the FBI and German and Dutch law enforcement revealed that they had been working together and had infiltrated Hive. So, truth is stranger than fiction sometimes, or at least, you know, just as thrilling as your average Tom Cruise movie. Here we have, July 2022, and somehow, law enforcement agents gain access to Hive's infrastructure. So they begin quietly passing decryption keys - I love this - to over 330 victims. Now, the Department of Justice says these efforts prevented more than what would have been $130 million in ransom payments being made by these victims, had they chosen to pay. So this is great. We've got this Hive ransomware group being probably, didn't know what was going on for a while. We know the infrastructure, or I should say, new samples of Hive stopped appearing apparently a couple of weeks before they take down. That's what Group-IB, cybersecurity firm, has reported. It's not clear. That's because the FBI started getting a little bit more offensive in this disruption or if HIVE maybe had a clue that something was wrong because their revenues weren't looking real great since middle of 2022, not clear what happened. But at the moment, Hive has gone dark. So, like I said, this is something to be celebrated. Not to be a party pooper, but I also did ask security experts. Do you think this is going to stick or do you think we could see Hive 2.0 or, you know, the son of Hive, the swarm stings back? Who knows what they'll come up with? We've seen this before. REvil aka Sodinokibi got disrupted and rebooted at least a couple of times, DarkSide, Colonial Pipeline, got into a bit of bother with the geopolitical ramifications of that, and so announced that it would be shutting down operations, but to reboot it as BlackMatter and then as BlackHat. Same again with Conti, it retired the brand after it disastrously backed Russia's invasion of Ukraine. And that angered a lot of people. It's awesome, it's day to get leads, there's various other soap opera type stuff. But what the operators did was they quietly spun off other operations under new names, and then made a big splash about retiring, having already started up other operations. So what this gets to is that the profits from ransomware are still formidable. We've talked about how the number of attacks doesn't seem to be going down. And that's a concern, of course, for victims. Even victims, you get a free decrypter, I mean literally, a free decrypter because the FBI comes and says, "we're here to help you. Here's the decrypter." And you say, "thank you so much." That's good. But the trouble is your systems is still being disrupted. I've broken somehow. So there's going to be a lot of time, effort, focus on getting everything cleaned up and restored. That's not an instantaneous sort of endeavor. So, for victims, the pain is still real. The good news is we've seen the number of victims paying ransom go down over the last three or four months. We've seen that based on blockchain payments, also anecdotal evidence from firms that help ransomware victims. So we've got some really great trends here. Fewer organizations are paying, less money is going to ransomware gangs, we have infiltration of Hive, which, aside from being a pain for Hive, hopefully from a psychological operations perspective, sowed the seeds of doubt and confusion, not just for the core members of Hive, but for anyone who was working with them. The feds will have been working overtime to get these people to reveal their identity. And unfortunately, a lot of them will be in or around Russia, which doesn't extradite its citizens. So as long as they keep their vacation plans restricted, i.e. Russia, they should be okay. If they travel abroad and the FBI or its international law enforcement partners knows who they are, then their final destination might not be under their control. So, as I said, a lot of these people are operating in and around Russia, we're not going to be able to lock them up. The next best thing is to disrupt their operations, make it more costly, help victims, which is what's being done so that fewer want to pay, making their operations more costly. So this is positive news that we have here is at the end of Hive, is the ransomware business model going to topple and die? I don't think so, unfortunately. But like I said, any good news is to be celebrated.
Delaney: Just following on for that, that was an excellent summary. Some people might say, "There haven't been any arrests. So will it make a difference?" You say, "Well, okay, it'll make operations more costly." Or is that not really the point here?
Schwartz: I think adding any amount of costs, and it doesn't just need to be arrests, but Hive will be spending or will have been spending a certain amount of money to try to amass victims. And that's just draining out unbeknownst to them, because their infrastructure got hit, law enforcement, possibly U.S. intelligence, who knows, and others were coming at them. So I do think making it more costly is a good thing. It's not going to cause change overnight. But if you can drive attackers, because you have a lot of interest here in hitting people online, ransomware is just one of the possible tools. It would be wonderful, though, if we could drive people to not use ransomware, the disruption it causes, the fallout, the national security implications, the health sector repercussions, as Marianne writes about. So you know, unfortunately, it has been documenting, has had the documents so frequently, because it's so frequent. Those are huge. So if there was other kinds of attacks, obviously we don't want to promote cybercrime. But if ransomware could go away, it would be a lot better for everybody. So hopefully criminals are being nudged in that direction. It's such a great moneymaker, though, for them, unfortunately, that it's going to take a lot of pushing to get them somewhere to a different place.
Delaney: Though, as you said, it might not be the end of Hive, but perhaps a little bite out of the ransomware ecosystem apple.
Schwartz: A wee sting, perhaps.
Delaney: Even better. So Marianne, on less good news this week, you've reported that the U.S. government and industry authorities are warning the healthcare sector of a surge of DDoS attacks in recent days gets hospitals. Can you fill us in?
McGee: Sure, on that kind of Russian theme, on Monday, there were reports that about a dozen hospitals and healthcare entities, mostly in the U.S., but then also in Europe, there were some hit with denial of service attacks by KillNet. And the attacks reportedly disrupted these organizations, websites and patient portals in some cases. And as you mentioned, authorities including the Department of Health and Human Services in the U.S., and the industry group, the American Hospital Association, quickly issued alerts for the healthcare sector. And by Tuesday, fortunately, when it goes back to this good news, bad news sort of thing, by Tuesday, it appeared that most of the hospitals in the U.S. that had been reportedly hit with these DDoS attacks had recovered their websites. Behind the scenes, I don't know if they're still cleaning up. But for the public facing, the websites seem to be working again. Now, one of the organizations that were hit told me on background that it did not take too long to restore services. But the incident was again yet the latest reminder of these assorted cyber threats that healthcare continues to face, including ransomware. And while these DDoS attacks were somewhat less disruptive, and more quickly recoverable than we see often with ransomware, for the healthcare sector, it's just one more thing that they really don't have the resources and time to deal with. They are still contending with ransomware threats, but other cybersecurity issues, as well as non-security issues ranging from serious staffing shortages to sort of the run on flu and still COVID cases and the virus that affects children, the respiratory virus that is getting a lot of kids hospitalized. So there's so many things that they're dealing with. They just don't need this right now. That all brings me to a conversation that I had the other day with U.S. Senator Mark Warner, a Democrat from Virginia. Warner is also the chair of the Senate Intelligence Committee. He says that he's very much aware of the cyber challenges that the healthcare sector is facing. And ultimately he sees this as a major patient safety problem. Warner is working on legislation that he hopes to introduce sometime this year that would address some of the healthcare sector cybersecurity challenges. That includes the inconsistency of cybersecurity maturity, among entities, and perhaps the possibility of a program that's more carrots than sticks, he says, that would encourage entities to apply a certain level of minimum security practices. But before going ahead with that legislation, he's trying to work with some of his bipartisan colleagues. Republicans often don't like anything that sort of rings them being mandatory, but they do realize the threats that this healthcare sector is facing. So he's trying to work perhaps some bipartisan legislation that could be introduced this year, either sort of bite size provisions that might be part of other legislation, or perhaps, a larger bill that is focused on healthcare sector, cybersecurity, so we'll see what happens - good news, bad news.
Delaney: Yeah, for sure. And going back to KillNet, what do we know about their style of operating?
McGee: Well, from what I understand, what I'm told by is that they - KillNet seems to be a little more amateurish compared to other groups that we've seen. But, you know, the thing that I thought was interesting in hearing about what was going on this week, and then also, that source that was at an organization that was hit, saying that they were able to restore things pretty quickly. I don't know if that's because it kind of reflects the level of, or maybe lack of, sophistication of KillNet, but I do know that there have been previous DDoS attacks on the healthcare sector that have not been so easy to recover from, and you know, that goes back to 2014. There was a kind of a high-profile child custody case in Boston and members of the hacker group Anonymous launched a DDoS attack on Boston Children's Hospital and another care facility that was sort of involved with the controversy. And not only did it knock out Boston Children's Hospital's systems for a few weeks, it also disrupted internet connectivity, among other Boston area hospitals, so it had like a major effect. And then going back to the theme about bringing these hackers to justice, the hacker that was responsible for that DDoS attack on Boston Children's Hospital was actually prosecuted and received a 10-year federal sentence. But he was from Massachusetts domestic. He didn't have to, you know, try to get somebody to come back from Russia. There was none of that. Yeah, he was here. They prosecuted him. And that was it.
Schwartz: I think KillNet and linking it with Anonymous there, what I've been hearing is that that is a great link. Because just as Anonymous, Anonymous says they're going to come get you. You mentioned the hospital example. But so often, it's hot air, or it's more about the publicity and less about the hacking smarts. It's more amateur. And what I've been hearing is that KillNet is much the same. Some security experts saying, "Look, if you ignore them, they probably go away." People who have been in the telegram channels that these pro Kremlin KillNet participants participate in, a lot of them are saying, "Oh, this news outlet's written about how we've threatened so and so," or they say, "They're coming for so and so over here." And of course, anybody can rent DDoS attack time these days. And then they've got this badge on top of it, where it's called KillNet. But like Marianne says, it does seem to be pretty amateur. And it's one of these tricky problems of people who know what's going on. But that also gives it some of the oxygen it needs to sustain itself. So hopefully, it'll burn out. Hopefully, they'll run out of money before too long and can't pay these other DDoS services to increase their public profile.
McGee: Yeah, and then other thing experts are saying, they're kind of - the KillNet group is kind of stirred up right now, because of the military equipment that's being shipped to Ukraine by NATO countries. And it just kind of riles them up. So let's hit some hospitals.
Delaney: Though perhaps more irritation than danger, but still a good reminder to focus on these defenses for healthcare organizations. Well, that's great, Marianne, thank you. Well, I'd like to share some interesting findings from an interview I conducted last week with James Lee of the Identity Theft Resource Center. And as you both know, the ITRC publishes an annual data breach report, and their latest one looks at data from the U.S. in 2022. So which reveals a near record number of compromises, the second highest number since they began 17 years ago. But most interesting and alarming for me was something that James Lee labeled as a very troubling trend. And this is a sudden lack of transparency, and important details in data breach notifications, which, of course, creates more risk for consumers. And the information that's missing is practically everything. Information about the attack, how it happened, what was the result of the attack, and what has been done to prevent future attacks. So James told me that up until last year, virtually 100% of every breach notice included that information. Now, they're seeing only 58% provide that information. So that's a huge decline in a year. And I asked him what he thought might be behind this. And he said, "It's something that they're going to look into further this year." But essentially, according to U.S. law, if there's no actual harm to an individual from a data breach, they cannot sue in the federal court system. So businesses are withholding this information, because they're not legally required to do so. And, of course, it's bad PR for them, too. So why would they? James says this needs to change because it seems that we're going backwards not forwards. And he suggests that the U.S. should look to the EU, which states that a notice should be made in conjunction with a data protection authority. So I found that quite alarming. And I know Matt, you've studied these reports year after year. I wonder if that stood out for you or anything else, perhaps?
Schwartz: Yes, Anna. I've been tracking data breaches really closely since California passed this pioneering state data breach notification rule back in, I think 2003-2004. And I thought data breaches might have been solved at some point along the way. I've been disabused of that notion now for a while, unfortunately, because they keep getting bigger and bigger. And so it's really alarming to me that the ITRC is seeing less and less information. Because this is used by other victims or potential victims, I should say, to prevent becoming a victim. They can see what's happened and move to bolster their own systems, like with Equifax. Imagine if none of that had become public, for example. It's also used by victims. The big intention of state database notifications is to empower consumers to say, "Look, somebody might have your information. They might be opening a bank account in your name," or whatever. When they might be hitting you with phishing attacks, "be aware, look at your statements." So these businesses that have mishandled your personal details, say, "Oh, by the way, we messed up. And now we've left you holding the bag here, you might experience in fraud." I wish the states had something like GDPR, where everyone's right to have their personal data protected. It's a right, I should say. And there are severe repercussions if you violate that trust, that right. As Marianne was saying before, there are some in Congress, though, that don't want anything perceived to be mandatory. And so, we've got state laws, which are pretty much, with a couple of exceptions, at least, pretty much alerts or notification as to what I'm looking for, they are notification requirements, say, "sorry, we've screwed up. You may experience fraud," as opposed to Europe where "Oh, we've screwed up. And in the worst case, somebody might go to jail, slightly better case, we're going to pay a lot of money." So very different systems. Something needs to change, though. Because if companies are going to spin these breaches, and get away with not alerting victims, not counting the victims is another thing that ITRC said. So it's the second highest that we know about in terms of victims, but like you say, if only 58% have this information, maybe things are even more horrible than we understand. So huge problem. I don't know what's going to change. But hopefully, we'll see some states rewriting their laws.
McGee: I'm just going to chime in about in the U.S., as much as people criticize HIPAA, you know, it's outdated, this and that. One good thing that it has is the requirement for organizations that have had breaches that affect 500 or more individuals, to report it to the Department of Health and Human Services. And then Department of Health and Human Services have this mandatory requirement as part of legislation that was signed into law years ago to post these on a public website. So you can go there, you can see who reported these breaches affecting 500 or more individuals, how many people were affected, you know, the breach notification letters they send out have to have certain minimum details. But the loophole here for organizations that do report these breaches is, and I'm not going to name them, but I can think of many organizations that I know that have had giant breaches, but they report them as affecting 500. They know it's thousands, maybe it's millions, but they say it's 500, they submit the bid, they report to HHS, you know, under that 60-day reporting deadline, they've got it in there. And then this thing stays posted on the public website looking like it only affected 500 people. But actually, it was many, many more and it's not updated. So it's kind of like bait and switch in some ways.
Schwartz: Gaming the system.
Delaney: Always a loophole. Well, speaking of games, our last question is around games and amusement parks. So you've been tasked with creating a cybersecurity themed amusement park. What would you call it?
McGee: Mine's pretty lame: Hacker World.
Delaney: That's not lame. I would go.
Schwartz: Great graphics. Great iconography. That's beautiful. My advanced persistent on, I say 'Military Grade Amusement.'
Delaney: That's very good. And well, mine is 'Pirates of the Internet.' More lame, I think. But aka Scammers Island and your mission is to reclaim the treasure from the scammers and it would be obviously a perilous journey with plenty of bugs and fish and whales. Got that. But it would be worth it, of course, all those risks. Well, thank you very much for that fun days of creativity at the end. And thank you so much for your insight, as always. Thank you.
Schwartz: Thanks for having us. Have us back sometime.
Delaney: Soon. Thank you. And thanks so much for watching. Until next time.