NIH among agencies targeted by Russian 'Cozy Bear' hackers, says WaPo

Breached network management software vendor SolarWinds has also listed the U.S. Centers for Disease Control and Prevention and Blue Cross Blue Shield as customers.
By Kat Jercich
03:05 PM
A shadowy figure looking at a computer screen

[This article has been updated to include a comment from Blue Cross Blue Shield representatives.]

The National Institutes of Health is among the federal agencies that have been victimized by Russian hackers, according to a report in the Washington Post.  

The NIH, the Department of Homeland Security, the State Department, the Department of the Treasury and the Department of Commerce were said to have been targeted by the hackers known as "APT29," or "Cozy Bear," likely part of Russian intelligence services.  

The hackers reportedly used updates for network management software from the SolarWinds company to breach the organizations.   

A December 13 archival snapshot of the SolarWinds website also lists the U.S. Centers for Disease Control and Prevention and Blue Cross Blue Shield as customers. (The site has since been taken down.)   

It is unclear whether the CDC or BCBS were affected by the intrusion, which impacted "fewer than 18,000" SolarWinds customers worldwide, according to a U.S. Securities and Exchange Commission filing from the company Monday.  

When asked whether it was among those 18,000 customers, the CDC directed Healthcare IT News to DHS, who did not respond.

After publication, BCBS representatives told Healthcare IT News, "We are aware of recent developments and our security team is assessing the situation, as appropriate."

WHY IT MATTERS  

The cybersecurity firm FireEye reported on Sunday that it had discovered a supply chain attack using SolarWinds Orion business software updates to distribute malware.   

"The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals," said company representatives in a blog post.

The Cybersecurity Infrastructure and Security Agency issued an alert on Sunday directing all federal agencies to disconnect SolarWinds products immediately. As the FireEye blog post noted, the campaign may have been going on for months, perhaps since the spring.  

The identities of those affected are continuing to trickle out. On the archived list of SolarWinds customers are, among others, the U.S. Postal Service, the U.S. Secret Service and the U.S. Department of Defense; telecommunications companies such as AT&T, Bellsouth, Sprint and Comcast Cable; Visa USA and MasterCard; and IT consulting firm Booz Allen Hamilton.  

"Nation state actors have been actively targeting the healthcare industry this year more than ever, and the largest risk factors right now likely lies in their third party ecosystems. The sophistication and premeditation behind the SolarWinds breach indicates these are advanced, experienced hackers we’re dealing with," said Vinny Troia, CEO and co-founder of Night Lion Security, in a statement to Healthcare IT News.

THE LARGER TREND  

Cybersecurity is of increasingly heightened concern as the U.S. workforce continues to conduct business at home, with the FBI, HHS and CISA warning of "increased and imminent" threats against the healthcare industry earlier this fall.  

Last week, CISA also warned of a vulnerability found in GE imaging devices, enabling access to and potential manipulation of protected health data.  

And the pending roll-out of the COVID-19 vaccine also presents bad actors with a number of targets, from the "cold chain" to physicians' devices at the point of care. In fact, Cozy Bear was also accused of targeting organizations involved with vaccine development and testing this summer.  

ON THE RECORD  

"The actors behind this campaign gained access to numerous public and private organizations around the world," read the FireEye blog.

"This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.

"If attacker activity is discovered in an environment, we recommend conducting a comprehensive investigation and designing and executing a remediation strategy driven by the investigative findings and details of the impacted environment," the post continued.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.