KANSAS CITY, Kan. (AP) — A North Korean military intelligence operative has been indicted in a conspiracy to hack into American health care providers, NASA, U.S. military bases and international entities, stealing sensitive information and installing ransomware to fund more attacks, federal prosecutors announced Thursday.
The indictment of Rim Jong Hyok by a grand jury in Kansas City, Kansas, accuses him of laundering the money through a Chinese bank and then using it to buy computer servers and fund more cyberattacks on defense, technology and government entities around the world.
The hacks on American hospitals and other health care providers disrupted the treatment of patients, officials said. He’s accused of targeting 17 entities across 11 U.S. states, including NASA and U.S. military bases, as well as defense and energy companies in China, Taiwan and South Korea.
For more than three months, Rim and other members of the Andariel Unit of North Korea’s Reconnaissance General Bureau had access to NASA’s computer system, extracting over 17 gigabytes of unclassified data, the indictment says. They also reached inside computer systems for defense companies in Michigan and California, as well as Randolph Air Force base in Texas and Robins Air Force base in Georgia, authorities say.
The malware enabled the state-sponsored Andariel group to send stolen information to North Korean military intelligence, furthering the country’s military and nuclear aspirations, federal prosecutors said. They’ve gone after details of fighter aircraft, missile defense systems, satellite communications and radar systems, a senior FBI official said.
“While North Korea uses these types of cyber crimes to circumvent international sanctions and fund its political and military ambitions, the impact of these wanton acts have a direct impact on the citizens of Kansas,” said Stephen A. Cyrus, an FBI agent based in Kansas City.
Online court records do not list an attorney for Rim, who has lived in North Korea and worked at the military intelligence agency’s offices in both Pyongyang and Sinuiju, according to court records. A reward of up to $10 million has been offered for information that could lead to him or other foreign government operatives who target critical U.S. infrastructure.
The Justice Department has prosecuted multiple cases related to North Korean hacking, often alleging a profit-driven motive that sets the nation’s cybercriminals apart from hackers in Russia and China. In 2021, for instance, the department charged three North Korean computer programmers in a broad range of hacks including a destructive attack targeting an American movie studio and the attempted theft and extortion of more than $1.3 billion from banks and companies around the world.
In this case, the FBI was alerted by a Kansas medical center that was hit in May 2021. Hackers had encrypted its files and servers, blocking access to patient files, laboratory test results and computers needed to operate hospital equipment. A Colorado health care provider was affected by the same Maui ransomware variant.
A ransom note sent to the Kansas hospital demanded Bitcoin payments valued then at about $100,000, to be sent to a cryptocurrency address.
“Otherwise all of your files will be posted in the Internet which may lead you to loss of reputation and cause the troubles for your business,” the note reads. “Please do not waste your time! You have 48 hours only! After that the Main server will double your price.”
Federal investigators said they traced blockchains to follow the money: An unnamed co-conspirator transferred the Bitcoin to a virtual currency address belonging to two Hong Kong residents before it was converted into Chinese currency and transferred to a Chinese bank. The money was then accessed from an ATM in China next to the Sino-Korean Friendship Bridge connecting China and North Korea, according to court records.
In 2022, the Justice Department said the FBI seized approximately $500,000 in ransom payments from the money laundering accounts, including the entire ransom payment from the hospital.
An arrest of Rim is unlikely, so the biggest outcome of the indictment is that it may lead to sanctions that could cripple the ability of North Korea to collect ransoms this way, which could in turn remove the motivation to conduct cyber attacks on entities like hospitals in the future, according to Allan Liska, an analyst with the cybersecurity firm Recorded Future.
“Now, unfortunately, that will force them to do more cryptocurrency theft. So it’s not going to stop their activity. But the hope is that we won’t have hospitals disrupted by ransomware attacks because they’ll know that they can’t get paid,” Liska said.
He also noted that a Chinese entity was among the victims and questioned what the country, which is an ally of North Korea, thinks of being targeted.
“China can’t be too thrilled about that,” he said.
___
Goldberg reported from Minneapolis. Hollingsworth reported from Mission, Kansas. Associated Press reporter Alanna Durkin Richer contributed from Washington, D.C.
Opinions expressed by Entrepreneur contributors are their own.
In 2024, organizations faced an average of 1,308 cyber attacks per week in Q1, a 28% rise from the previous quarter and 5% year-over-year. And what’s even worrisome is that cybercrime losses reached $12.8 billion in 2023 and are expected to hit $23.84 trillion by 2027.
Undoubtedly, securing your business in today’s digital business landscape isn’t just about protecting against cyber threats — it’s about resilience.
You can always fall for the latest threats since cybercriminals are becoming increasingly sophisticated while sneaking into business networks. Hence, you need a more robust cybersecurity plan backed by cyber resilience that goes beyond conventional cybersecurity strategy.
Cyber resilience isn’t a buzzword; it’s a necessity and a proactive approach that goes beyond conventional security. It ensures your organization withstands and recovers from potential threats without much impact on your business.
In a nutshell, cyber resilience is about building walls of protection and having the resilience to bounce back stronger.
Let’s discover why embracing resilience should be a top priority for businesses to ensure continuity and future success in the ever-expanding cybersecurity landscape.
Cyber resilience is your organization’s ability to prevent, withstand and smoothly recover from various cybersecurity incidents. Cyber resilience isn’t about preventing cyberattacks — it’s about ensuring your organization can swiftly recover and continue to operate after an incident.
Nobody can predict the next threat to your organization and customers, especially in an era where machine learning and artificial intelligence have broadened the horizons and increased threat vectors.
Hence, a robust incident response plan is undeniably the need of the hour for businesses that are about to reinvent their cybersecurity posture.
Remember, a cybersecurity strategy lacking a robust incident response plan is good for nothing since cybercriminals are already exploring new ways to target end users and customers to exploit their personal information and gain access to sensitive business details.
On the other hand, cyber resilience not only ensures stringent cybersecurity against immediate threats but eventually mitigates long-term costs. Hence, investing in cyber resilience would surely safeguard your business from financial devastation and ensure smooth continuity.
Now that we’ve learned about cyber resilience and its importance, let’s emphasize how you can incorporate it into your business.
Most businesses mistake cyber resilience for cybersecurity. However, they are pretty different and hold their own importance at different levels.
Securing your organization against modern threats is crucial, but it’s also important to prepare for the worst. For example, you must have a plan to deal with a data or privacy breach.
If you wish to protect your organization from the latest threats, your cybersecurity must include a comprehensive cyber resilience checklist.
Whether it is regular audits, employee training, or advanced threat detection through technology, you must always be geared up to handle any cyber incident.
Your cybersecurity checklist to supercharge your cyber resilience
1. Regular security audits
Scheduled audits are crucial to uncover potential threats and vulnerabilities before cybercriminals can exploit them. Addressing the issues well in advance can help you prepare a solid plan for the worst-case scenario and bounce back stronger.
Here’s what you can do:
Look for outdated software: It’s crucial to check and update your defense software and firewalls since outdated software is more susceptible to ransomware attacks and other threats.
Incidence response drill: Organizing an incident response drill will help identify gaps in your communication protocol and eventually help you overcome the delayed response time during a cyberattack. Hence, scheduling quarterly incident response drills is crucial once you’ve completed the security audit.
Engage third-party experts: Involving third-party cybersecurity experts can provide an unbiased evaluation of your security measures and help create a robust cyber resilience program. Experts can uncover vulnerabilities your internal teams might overlook and help prepare an action response plan accordingly.
2. Strengthening your human firewall through employee training and awareness programs
Human error leads to cybersecurity breaches. Ensuring your employees are well-trained to handle any vulnerability is critical to building cyber resilience.
Regular training sessions: Regular training and updating your employees on the latest threat vectors and best practices are essential. Using real-world scenarios to illustrate various threats and their corresponding responses would shield your organization from potential threats and minimize losses during an unforeseen event.
Phishing simulations: Implementing phishing simulations to test your employees’ ability to recognize and respond to phishing attacks is crucial for safeguarding sensitive information. Using the results to identify improvement areas will help tailor training to minimize human error.
Clear policies and procedures: Establishing clear cybersecurity procedures and policies within your organization is crucial to building resilience. Ensure the policies are easily accessible and understood by everyone in the organization.
3. Building a robust incident response team is your frontline defense
A dedicated incident response team is all you need for swift and effective action during a cybersecurity incident. This will help minimize the impact, leading to fewer financial and reputational losses.
Define roles and responsibilities: You must clearly define roles and responsibilities for every team member regardless of their job title and experience. It’s crucial to ensure that everyone knows their duties and responsibilities promptly during an incident and the situation.
Invoke the potential of modern tools and technologies: Using threat intelligence tools, data encryption, multi-factor authentication (MFA), and Zero Trust architecture can reinforce your overall cybersecurity resilience program.
Continuous improvement: Conducting a thorough review to identify areas for improvement after every drill and incident. This will help you continuously update your incident response plan based on the recent findings.
Final thoughts
In this modern digital business landscape, the increasing cyber threats and sophistication of cybercriminals demand next-level security — cyber resilience.
Cyber resilience is a vital strategy for businesses to ensure they stay up and running even in the event of a cyber incident and can quickly contain a breach without financial and reputational losses.
Hence, embracing cyber resilience shouldn’t be a luxury; it must be an essential pillar of your cybersecurity foundation.
WASHINGTON — One Monday morning in May, I woke up and grabbed my cell phone to read the news and scroll through memes. But it was out of cell service. I couldn’t make calls or texts.
That, though, turned out to be the least of my problems.
Using my home Wi-Fi connection, I checked my email and discovered a notification that $20,000 was being transferred from my credit card to an unfamiliar Discover Bank account.
I thwarted that transfer and reported the cell phone issues, but my nightmare was just starting. Days later, someone managed to transfer $19,000 from my credit card to the same strange bank account.
I was the victim of a type of fraud known as port-out hijacking, also called SIM-swapping. It’s a less-common form of identity theft. New federal regulations aimed at preventing port-out hijacking are under review, but it’s not clear how far they will go in stopping the crime.
Port-out hijacking goes a step beyond hacking into a store, bank or credit card account. In this case, the thieves take over your phone number. Any calls or texts go to them, not to you.
When your own phone access is lost to a criminal, the very steps you once took to protect your accounts, such as two-factor authentication, can be used against you. It doesn’t help to have a bank send a text to verify a transaction when the phone receiving the text is in the hands of the very person trying to break into your account.
Even if you’re a relatively tech-savvy individual who follows every recommendation on how to protect your tech and identity, it can still happen to you.
Experts say these scams will only increase and become more sophisticated, and the data show they are on the rise.
I am not the most tech savvy person, but I am a law-school educated journalist who specializes in finance reporting. Due to the very online nature of my job, I was taught all the methods of staying safe online: constantly changing my passwords with multi-factor authentication, signing out of apps that I don’t use regularly and keeping my personal information off the internet.
Still, despite being safe, I was vulnerable to criminals. And it took a lot of time and legwork before I got my money and phone number back.
The FBI Internet Crime Complaint Center reports SIM-swapping complaints have increased more than 400% from 2018 to 2021, having received 1,611 SIM swapping complaints with personal losses of more than $68 million.
Complaints to the FCC about the crime have doubled, from 275 complaints in 2020 to 550 reports in 2023.
Rachel Tobac, CEO of SocialProof Security, an online security company, says the rate of the crime is likely much higher since most identity thefts are not reported.
She also says two-factor authentication is an outdated way of keeping consumers safe, since it’s possible to find anyone’s phone number, birthday and social security number through any number of public or private databases on the web.
The ability of thieves to obtain your personal information was again made clear Friday when AT&T said the data of nearly all of its customers was downloaded to a third-party platform in a security breach two years ago. Although AT&T claims no personal information was leaked, cybersecurity experts have warned breaches involving telephone companies leave customers vulnerable to SIM swapping.
As of now, switching numbers from one phone to another is easy and can be done online or over the phone. The process takes less than a few hours so long as a criminal has your personal information on hand.
While consumers need to be smart about having a variety of different passwords and protections, consumers need to “put pressure on companies where its their job to protect our data,” Tobac said.
“We need them to update consumer protection protocols,” she said, since two-factor authentication is not enough.
FCC rules have recently changed to force companies to do more to protect consumers from this type of scam.
In 2023, the FCC introduced rulemaking that require wireless providers to “adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider” among other new rules. Companies could require more information when a customer tries to port over a phone number to another phone — from requiring government identification, voice verification or additional security questions.
The rules were scheduled to take effect on July 8, but the FCC on July 5 granted phone companies a waiver that delays implementation until the White House Office of Management conducts a further review.
The wireless industry had sought the delay, stating among other reasons that companies need more time to comply. CTIA, which lobbies on behalf of the companies, said the new rules will require major changes in technology and procedures both within the wireless companies and in their interactions with phone manufacturers.
But if the FCC rules had been in place, my phone number might have been harder to steal, experts say.
Ohio State University Professor Amy Schmitz says the new FCC rules make it easier for consumers to protect themselves, but it is still reliant on action and awareness of the consumers.
“I still question whether consumers will be aware of this, and will take action to protect themselves,” she said.
It took ten days to get my number back from Cricket Wireless — and that wasn’t until I told company representatives that I was writing a story about my experience.
In that period of time the scammer was able to access my bank account three times and eventually successfully transferred $19,000 from my credit card— even though I removed my number from the bank account, froze my credit, changed all my passwords, among other measures.
Bank of America worked to reverse the $19,000 wire after I visited a branch near the AP bureau in Washington.
Cricket apologized for the error and said in an email that its “expectation is to deliver a much better customer experience.”
“Fraudulent port-outs are a form of theft committed by sophisticated criminals,” reads a company statement that was emailed to me. “We have measures in place to help defeat them, and we work closely with law enforcement, our industry and consumers to help prevent this type of crime.”
An AT&T representative told me in an email that “all providers are working to implement the FCC’s new rules on port-outs and SIM swaps.”
I’m still unsure of how this person got access to my accounts, whether through my social security number, phone number or date of birth, or possibly a recording of my voice.
It was a hard lesson in how vulnerable we are when you lose control of our personal information that is so publicly available.
The data of nearly all customers of the telecommunications giant AT&T was downloaded from a third-party platform in a security breach, the company said Friday, as cyberattacks against businesses, schools and health systems continue to spread globally.
The breach, which took place in April of this year but mostly involved data from 2022, hit AT&T’s cellular customers and customers of mobile virtual network operators using AT&T’s wireless network, as well as landline customers who interacted with those cellular numbers.
Approximately 109 million customer accounts were impacted, according to AT&T, which said that it currently doesn’t believe that the data is publicly available.
“The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information,” AT&T said Friday.
The compromised data also doesn’t include some information typically seen in usage details, such as the time stamp of calls or texts, the company said, or customer names. AT&T, however, said that there are often ways of using publicly available online tools to find the name associated with a specific telephone number.
Cybersecurity experts concurred, saying that such data can be used to trace users.
“While the information that was exposed doesn’t directly have sensitive information, it can be used to piece together events and who may be calling who. This could impact people’s private lives as private calls and connections could be exposed,” Thomas Richards, principal consultant at Synopsys Software Integrity Group, said in an emailed statement. “The business phone numbers will be easy to identify and private numbers can be matched to names with public record searches.”
An internal investigation determined that compromised data includes AT&T records of calls and texts between May 1, 2022 and Oct. 31, 2022.
AT&T identified the third-party platform as Snowflake and said that the incident was limited to an AT&T workspace on that cloud company’s platform and did not impact its network.
Cybersecurity experts say the sheer volume of data held by companies on cloud platforms can create its own perils.
“The AT&T data breach underscores the growing risks associated with the vast amounts of data companies now store on cloud and SaaS platforms,” said Roei Sherman, Field Chief Technology Officer at Mitiga, a threat detection and investigation company that focuses on cloud technology. “As organizations increasingly rely on these technologies, the complexity of detecting and investigating breaches has risen sharply.”
AT&T’s investigation is ongoing and it has engaged with cybersecurity experts to understand the nature and scope of the criminal breach. At least one person has been apprehended so far, according to the company.
Compromised data also includes records from Jan. 2, 2023, for a very small number of customers. The records identify the telephone numbers an AT&T or MVNO cellular number interacted with during these periods. For a subset of records, one or more cell site identification number(s) associated with the interactions are also included.
The Federal Bureau of Investigation said that it has worked collaboratively with AT&T and the Justice Department “through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”
The Department of Justice said Friday that it became aware of the breach early this year, but that it met the security standard for a delayed filing by AT&T with the U.S. Securities & Exchange Commission, a filing that was made public Friday.
The DOJ said an earlier disclosure of the breach would “pose a substantial risk to national security and public safety.”
The Federal Communications Commission is also investigating.
The year has already been marked by several major data breaches, including an earlier attack on AT&T. In March AT&T said that a dataset found on the “dark web” contained information such as Social Security numbers for about 7.6 million current AT&T account holders and 65.4 million former account holders.
Some auto dealerships are still using pens and paper to close deals after back-to-back cyberattacks last month on a company that supplies them with software. That company, CDK Global, is still attempting to reestablish normal operations.
Alabama’s education superintendent said earlier this month that some data was “breached” during a hacking attempt at the Alabama State Department of Education.
Cybersecurity experts are warning that hospital systems around the country, which have already been targeted, are at risk for more attacks and that the U.S. government is doing too little to prevent breaches.
Shares of AT&T Inc., based in Dallas, fell slightly on Friday.
___
This story was first published on July 12, 2024. It was updated on July 13, 2024, to correct when the breach occurred and where the data came from. The data was mostly from 2022, but the breach occurred in April 2024. The data was downloaded from a third-party platform, not to a third-party platform.
The data of nearly all customers of the telecommunications giant AT&T was downloaded from a third-party platform in a security breach, the company said Friday, as cyberattacks against businesses, schools and health systems continue to spread globally.
The breach, which took place in April of this year but mostly involved data from 2022, hit AT&T’s cellular customers and customers of mobile virtual network operators using AT&T’s wireless network, as well as landline customers who interacted with those cellular numbers.
Approximately 109 million customer accounts were impacted, according to AT&T, which said that it currently doesn’t believe that the data is publicly available.
“The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information,” AT&T said Friday.
The compromised data also doesn’t include some information typically seen in usage details, such as the time stamp of calls or texts, the company said, or customer names. AT&T, however, said that there are often ways of using publicly available online tools to find the name associated with a specific telephone number.
Cybersecurity experts concurred, saying that such data can be used to trace users.
“While the information that was exposed doesn’t directly have sensitive information, it can be used to piece together events and who may be calling who. This could impact people’s private lives as private calls and connections could be exposed,” Thomas Richards, principal consultant at Synopsys Software Integrity Group, said in an emailed statement. “The business phone numbers will be easy to identify and private numbers can be matched to names with public record searches.”
An internal investigation determined that compromised data includes AT&T records of calls and texts between May 1, 2022 and Oct. 31, 2022.
AT&T identified the third-party platform as Snowflake and said that the incident was limited to an AT&T workspace on that cloud company’s platform and did not impact its network.
Cybersecurity experts say the sheer volume of data held by companies on cloud platforms can create its own perils.
“The AT&T data breach underscores the growing risks associated with the vast amounts of data companies now store on cloud and SaaS platforms,” said Roei Sherman, Field Chief Technology Officer at Mitiga, a threat detection and investigation company that focuses on cloud technology. “As organizations increasingly rely on these technologies, the complexity of detecting and investigating breaches has risen sharply.”
AT&T’s investigation is ongoing and it has engaged with cybersecurity experts to understand the nature and scope of the criminal breach. At least one person has been apprehended so far, according to the company.
Compromised data also includes records from Jan. 2, 2023, for a very small number of customers. The records identify the telephone numbers an AT&T or MVNO cellular number interacted with during these periods. For a subset of records, one or more cell site identification number(s) associated with the interactions are also included.
The Federal Bureau of Investigation said that it has worked collaboratively with AT&T and the Justice Department “through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”
The Department of Justice said Friday that it became aware of the breach early this year, but that it met the security standard for a delayed filing by AT&T with the U.S. Securities & Exchange Commission, a filing that was made public Friday.
The DOJ said an earlier disclosure of the breach would “pose a substantial risk to national security and public safety.”
The Federal Communications Commission is also investigating.
The year has already been marked by several major data breaches, including an earlier attack on AT&T. In March AT&T said that a dataset found on the “dark web” contained information such as Social Security numbers for about 7.6 million current AT&T account holders and 65.4 million former account holders.
Some auto dealerships are still using pens and paper to close deals after back-to-back cyberattacks last month on a company that supplies them with software. That company, CDK Global, is still attempting to reestablish normal operations.
Alabama’s education superintendent said earlier this month that some data was “breached” during a hacking attempt at the Alabama State Department of Education.
Cybersecurity experts are warning that hospital systems around the country, which have already been targeted, are at risk for more attacks and that the U.S. government is doing too little to prevent breaches.
Shares of AT&T Inc., based in Dallas, fell slightly on Friday.
___
This story was first published on July 12, 2024. It was updated on July 13, 2024, to correct when the breach occurred and where the data came from. The data was mostly from 2022, but the breach occurred in April 2024. The data was downloaded from a third-party platform, not to a third-party platform.
LONDON — Everyone has too many passwords. The credentials we need to remember to navigate online life keep multiplying, not just for frequently used email, banking, social media, Netflix and Spotify logins, but also, say, the little-known e-commerce site you’re not sure you’ll buy from again.
According to some unscientific studies, the average person has hundreds of passwords. That’s a lot to keep track of. You might be tempted to recycle them, but it’s one of the bad password habits that cybersecurity experts warn against.
Instead, use a password manager. They’ve been around for a while and can be useful tools to keep on top of your credentials. But they can also be intimidating for those who aren’t tech-savvy.
Here’s a guide on how to use them:
Many people just use the same password for all their online accounts, mainly because it’s the most convenient thing to do.
Don’t!
If your credentials are caught in a cyber breach, the hackers could try using the stolen passwords to get into other services.
Other no-nos: Using easily guessed information like birthdays, names of family members, favorite sports teams, or simple phrases like abc123.
The best strategy, experts say, is to use a different password for each account, the longer and more complex the better, backed up by two-factor authentication where possible.
But it’s impossible to remember all those various codes. So let a password manager do the job.
The basic concept is simple: Your passwords are stored securely in a digital vault. When you need to access an online service, it auto-fills the login and password fields. The only thing you’ll need to remember is a single password to open the password manager.
Most password managers have a smartphone app that works with mobile browsers and other apps and can be opened with a thumbprint or facial ID scan. If you’re using a computer, you can also log in to your password vault through a browser plug-in or by going to a website.
A good password manager should also be able to generate complex passwords with letters, numbers and symbols, for whenever you’re setting up a new account. And it should also recognize that you’re signing into an online service for the first time and ask if you want to save the credentials you’ve entered.
Password managers can also help you avoid falling prey to phishing scams. Those deceptive emails from fraudsters trying to trick you into clicking a link to a phony website designed to harvest login details? A password manager won’t automatically fill in the details if the web address doesn’t match the one linked to the saved password.
They don’t just store passwords. You can save bank and credit card PINs, for example. Many also support passkeys, a new technology that companies like Google have been rolling out as a safer alternative to passwords.
There are dozens of password managers on the market, so it can be hard to figure out what’s best for you.
Better-known platforms include 1Password, Bitwarden, Dashlane, Bitdefender, Nordpass, Keeper and Keepass.
Check out the many tech review websites that have conducted in-depth testing and compiled rankings of the most popular services. If you want to nerd out, users on Reddit have drawn up spreadsheets with side-by-side comparisons. Britain’s National Cyber Security Centre has a buyer’s guide.
Most services have free and paid versions. The paid options typically cost a few dollars a month while the free offerings tend to have restrictions like allowing only one device to be logged in at a time or limiting the number of passwords you can store.
If cost is a factor, Bitwarden’s free service gets top marks from reviewers, though it’s less polished and not as immediately intuitive to use.
A good password manager will work across different devices and platforms, with apps for Windows and Mac computers and iOs and Android devices, and plugins for browsers like Chrome, Safari, Firefox, Edge, Brave and Opera
There are also basic browser-based password managers as well as Apple’s iCloud Keychain for Macs and iOS devices. The iPhone maker is aiming more directly at the market with a new Passwords app that will roll out in the fall.
Cybersecurity worries around password managers flared up after one service, Lastpass, reported a security breach, leading experts to recommend avoiding it.
Don’t let that put you off. For one thing, experts advise that saving credentials in a password manager is much safer than letting, for example, e-commerce sites do it.
Good password managers use strong encryption that prevents anyone else from seeing your data.
Many services use AES-256 encryption, which is considered the most secure type “and impossible to be brute-forced by today’s technology,” said Pieter Arntz, senior malware intelligence researcher at cybersecurity company Malwarebytes.
Strong encryption “ensures that even if your computer or your password manager is compromised, the attacker cannot simply read all your passwords, because they are stored encoded and the attacker will need the master password to decode them,” Arntz said.
A good password manager should also hold regular security audits and inform users quickly if there’s a breach.
Many services store data in the cloud. If you’re worried about that, some let you store them only on your local device, but it can be a complicated process.
___
Is there a tech challenge you need help figuring out? Write to us at onetechtip@ap.org with your questions.
Car dealers across the U.S. are floundering after cyberattacks this week on CDK Global, a maker of software used to operate their businesses, made it all but impossible to sell vehicles.
Tom Maioli, who owns Celebrity Motor Car Company, which operates five luxury car dealerships across New York and New Jersey, told CBS MoneyWatch his business is “completely shut down.”
“We cannot process paperwork. Everything is frozen, everything is tied up — we cannot move money back and forth to pay off cars, to finance our customers’ transactions,” he said.
Such disruptions are particularly damaging to sales-driven businesses like auto dealerships, where car shoppers who are primed to lay down their cash on a vehicle may walk away when faced with frustrating delays. Maioli said that while he’s trying to keep customers engaged, he has no sense of when his sales systems will be fully functional again, leaving the business in limbo.
The company’s dealer management system, which is used by some 15,000 dealerships, remained unavailable Thursday and Friday, causing headaches for dealers and would-be car buyers.
For one family in New Jersey, the outage meant they couldn’t drive away with their new Audi Q5. Daniel Lanni told Bloomberg his family was expecting the vehicle to be delivered on June 19, but that it now remains unclear when they’ll take possession.
“The kids were really excited,” Lanni, a 41-year-old commercial real estate broker, told Bloomberg. “They’re upset and now they’re just regularly asking about it.”
On Wednesday, CDK Global took down its services as a precaution, effectively bringing sales to a halt for its customers. A second cyberattack this week has compounded the problem.
CDK has indicated that the outage could last several days and has not publicly announced when it expects its services to be fully restored. The financial repercussions of the tech failure are expected to be substantial given that CDK powers sales for roughly half of the car dealerships in the U.S.
“Royal pain in the rear”
Geoff Pohanka, chairman of Pohanka Automotive Group, told CBS MoneyWatch that 20 of the company’s dealerships rely on CDK’s dealer management system, or DMS, to operate.
“We are very dependent upon the DMS, and it affects all parts of our business,” he said. “It generates all of our forms. If you come in, we enter you in the system, it builds a file in terms of paperwork and finance papers, and right now none of that is functioning.”
Pohanka, who said the dealership still has phone and internet service, said the business is doing its best to keep sales rolling. “We may not be able to have all the documents signed and will need to bring the customer back in to complete them, but we still can function,” he said, while conceding that “everything takes longer [and] is more complicated.”
The DMS outage also affects the company’s service and parts department. Typically, the dealership uses CDK software to generate electronic contracts and print out work orders. Now, they’re operating manually, which is slower.
“We will certainly lose business because it takes longer to complete transactions, and some things will fall through the cracks. There will be losses,” Pohanka said. “It’s debilitating, and the longer it goes on the harder it will be for dealers. I know we will lose revenue. It really is a royal pain in the rear.”
Sport Honda, a Honda dealer and CDK customer in Silver Spring, Md., is also scrambling to continue serving customers.
“It’s a difficult task, but there was paper before there were computers so we have to go about it that way,” a dealership manager told CBS MoneyWatch. “You can move around the computer software and go back and do things like you did back in the day.”
Employees at other dealerships took to social media forums to say they were tracking orders on “sticky notes” or using Excel spreadsheets to log transactions.
For CDK, the fallout may not only be technological. Maioli, the car dealership owner, said he’s retained legal counsel and is mulling a class-action lawsuit against the company.
Megan Cerullo is a New York-based reporter for CBS MoneyWatch covering small business, workplace, health care, consumer spending and personal finance topics. She regularly appears on CBS News 24/7 to discuss her reporting.
SALEM — Salem State University announced this week that it received a $624,437 grant to establish and operate a cybersecurity training facility on campus.
The grant is part of the state’s Security Operations Center (SOC) Cyber Range Initiative, a program managed by Mass Tech’s MassCyberCenter that aims to help build a diverse generation of cybersecurity professionals through education, training and workforce development, according to a news release.
“Massachusetts is committed to leading in cybersecurity and ensuring that all communities have the skills, resources and capacity to protect their businesses and residents,” Gov. Maura Healey said. “Congratulations to Salem State on this award and their efforts to grow the cyber workforce.”
Lt. Gov. Kim Driscoll said how proud she is, “as Salem’s former mayor and a Salem State graduate … of the work the university is doing to teach students critical cybersecurity skills.
“Cybersecurity affects every part of our community whether you are a small business, elementary school or local government office. The more cybersecurity professionals we have, the more we can ensure our communities are protected online,” Driscoll said.
“Salem State is grateful to the Healey-Driscoll Administration and the MassCyberCenter for selecting us for this important partnership,” Salem State President John Keenan said. “This type of investment and professional relationships are a win-win for everyone involved.
“Like our nursing and occupational therapy simulation labs, the CyberRange will imitate real-world problems for students to solve in real time,” he said.
The funding is expected “to promote cybersecurity while also ensuring Massachusetts stays competitive in modern economic development,” said Yvonne Hao, state secretary of economic development and board chair of the Massachusetts Technology Collaborative.
Salem State will join Bridgewater State University, Springfield Technical Community College and MassBay Community College as a critical part of a statewide network of cybersecurity educators, MassCyberCenter Director John Petrozzelli said.
The award will support capital expenditures to construct the CyberRange and expenditures for the first year of operations.
The center is expected to promote the Massachusetts cybersecurity ecosystem by working to build a strong cyber talent pipeline and to strengthen the defense of local communities.
A hacking group claims it’s breached global events giant Ticketmaster and stolen the details of 560 million customers.
The group, named ShinyHunters, said on an online forum that the stolen data includes the names, addresses, phone numbers and partial credit card details of Ticketmaster customers.
The data was available for $500,000 in a “one-time sale,” the group’s post said.
The Australian government said Thursday it was investigating the claims, and the FBI has offered assistance to Australian authorities, a spokesman for the U.S. Embassy in Canberra told Agence France-Presse.
“The National Office of Cyber Security is engaging with Ticketmaster to understand the incident,” an Australian government spokesperson said in a statement. It urged people with “specific inquiries” to contact Ticketmaster directly.
AFP has contacted Ticketmaster seeking comment.
Ticketmaster and its parent company, Live Nation, haven’t commented on the supposed breach.
There was no confirmation that it had occurred and the authenticity of the dataset offered by ShinyHunters couldn’t be immediately verified.
The hack was first reported by the websites Hackread and Australia-based CyberDaily.
ShinyHunters’ hacking history
ShinyHunters burst into notoriety in 2020-21 when it put up huge troves of customer records from more than 60 companies, according to the U.S. Justice Department.
In January, a court in Seattle jailed Sebastien Raoult, a French computer hacker who was a member ShinyHunters.
He was sentenced to three years in prison and ordered to pay more than $5 million in restitution after pleading guilty to conspiracy to commit wire fraud and aggravated identity theft.
Prosecutors said the extensive hacking caused millions of dollars in losses to companies that were victimized and “unmeasurable additional losses” to hundreds of millions of people whose data was sold to other criminals.
Hacks are impacting more people with increasingly severe consequences, Katina Michael, a cybersecurity professor at Australia’s University of Wollongong, told AFP.
The number of people hacked “will grow, it could be up to one billion in the future,” she said.
Governments, companies and consumers aren’t doing enough to protect themselves or investing in basic protection mechanisms such as two-factor authentication, Michael warned.
Justice Department suing Ticketmaster and Live Nation
Ticketmaster, which is based in Beverly Hills, operates one of the largest online ticket sales platforms in the world.
The Justice Department filed a federal lawsuit last week accusing Ticketmaster and its parent company Live Nation of illegally monopolizing the live entertainment industry to the detriment of concertgoers and artists alike.
In a 128-page civil suit filed in U.S. District Court for the Southern District of New York, federal officials alleged that Live Nation has illegally thwarted competition and unduly burdened consumers in part through its ownership of Ticketmaster, which effectively gives it control over much of the market for live entertainment.
Justice Department officials said they’re seeking structural changes to how the company does business, which could include breaking the two entities apart.
In 2022, Ticketmaster’s mishandling of ticket sales for Taylor Swift’s The Eras Tour prompted enormous public outcry over Live Nation’s hold on the entertainment and ticketing industries. The Justice Department’s Antitrust Division was already investigating the company when the Swift fiasco unfolded, CBS News previously reported.
WASHINGTON — Consumer labels designed to help Americans pick smart devices that are less vulnerable to hacking could begin appearing on products before the holiday shopping season, federal officials said Wednesday.
Under the new U.S. Cyber Trust Mark Initiative, manufacturers can affix the label on their products if they meet federal cybersecurity standards. The types of devices eligible for labels include baby monitors, home security cameras, fitness trackers, refrigerators and other internet-connected appliances.
The White House first announced the “Cyber Trust” labels last year and the Federal Communications Commission finalized the details in March, clearing the way for the labels to start showing up in several months.
“You should hopefully, by the holiday season, start to see devices that have this trustmark on it,” said Nicholas Leiserson, the assistant national cyber director for cyber policy and programs. Leiserson made his comments Wednesday during a cybersecurity panel at Auburn University’s McCrary Institute in Washington.
The labels will also include QR codes that consumers can scan for security information about their devices.
Officials have likened the labels to the Energy Star program, which rates appliances’ energy efficiency, and say the idea is to empower consumers while also encouraging manufacturers to enhance their cybersecurity.
Amazon, Best Buy, Google, LG Electronics USA, Logitech and Samsung are among industry participants.
The proliferation of so-called smart devices has coincided with growing cybercrime in which one insecure device can often give cyberintruders a dangerous foothold on a home network.
HELSINKI — A Finnish court on Tuesday sentenced a 26-year-old man to six years and three months in prison for hacking thousands of patient records at a private psychotherapy center and seeking ransom from some patients over the sensitive data.
The case has caused outrage in the Nordic nation, with a record number of people — about 24,000 — filing criminal complaints with police.
In February 2023, French police arrested well-known Finnish hacker Aleksanteri Kivimäki, who was living under a false identity near Paris. He was deported to Finland. His trial ended last month.
The Länsi-Uusimaa District Court said Kivimäki was guilty of, among other things, aggravated data breach, nearly 21,000 aggravated blackmail attempts and more than 9,200 aggravated disseminations of information infringing private life.
The court called the crimes “ruthless” and “very damaging” considering the state of people involved.
According to the charges, Kivimäki in 2018 hacked into the information system of the Vastaamo psychotherapy center and downloaded its database of some 33,000 clients.
Vastaamo, which declared bankruptcy in 2021, had branches throughout the country of 5.6 million people and operated as a sub-contractor for Finland’s public health system.
Prosecutors said Kivimäki first demanded that Vastaamo pay him an amount equivalent to around 370,000 euros ($396,000) in bitcoins in exchange for not publishing the patient records.
When the center refused, Kivimäki in 2020 began publishing patient information on the dark web and sent patients messages demanding a ransom of 200 euros or 500 euros. About 20 patients paid, prosecutors said.
Kivimäki denied all charges. His lawyer said he would likely appeal. Prosecutors had sought seven years in prison, the maximum for such crimes under Finnish law.
Kivimäki was first convicted at age 15 after hacking into over 50,000 servers with software he developed, Finnish newspaper Ilta-Sanomat reported in 2022.
In the United States, he was convicted over hacking cases involving the U.S. Air Force and Sony Online Entertainment.
After delving into the world of romance scams, CBS News followed up with several victims whose ordeals were highlighted. Jim Axelrod shares their stories.
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.
Cybersecurity investigators worry ransomware attacks may worsen as young, native-English speaking hackers in the U.S., U.K. and Canada team up with Russian hackers.
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.
In the past year — hospitals, pharmacies, tech companies, Las Vegas’ biggest hotels and casinos have been paralyzed by “ransomware” attacks, in which hackers break into a corporate network, encrypt, or lock up critical files and hold them hostage until a ransom is paid. It’s a crime that has been growing more costly and disruptive every year. Now cybersecurity researchers fear it’s about to get worse, with the emergence of an audacious group of young criminal hackers from the U.S., U.K. and Canada the FBI calls Scattered Spider. More troubling, they have teamed up with Russia’s most notorious ransomware gang.
This past September, one of the most pernicious ransomware attacks in history was unleashed on MGM Resorts – costing the hotel and casino giant more than $100 million. It disrupted operations at a dozen of the most renowned gaming palaces on the Las Vegas strip: MGM Grand, Aria, Mandalay Bay, New York-New York, the Bellagio.
Anthony Curtis is a Las Vegas fixture. He’s so good at counting cards, he’s been banned from card games here. He now publishes the “Las Vegas Advisor,” a monthly newsletter on all things Vegas.
Anthony Curtis: Incredibly, when it happened, I was in an MGM property, and it happened while we were having dinner and there just began to be a rumbling that something was going on. When I went down into the casino, I could see then that slot machines were sitting dark, people were scrambling around. The shutdown was starting to take effect.
Anthony Curtis
60 Minutes
Across the Vegas strip… thousands of slot machines suddenly stopped paying out.
Anthony Curtis: So all of a sudden now people are goin’, “How do I get my money? What’s wrong?” And the people were sitting there waiting and couldn’t get paid.
Bill Whitaker: Were they angry?
Anthony Curtis: They were getting angry, yeah. And this was just the tip of the iceberg.
Elevators were malfunctioning… parking gates froze… digital door keys wouldn’t work. As computers went down, reservations locked up and lines backed up at the front desks.
Anthony Curtis: Anything that required technology was not working.
Bill Whitaker: Sounds like chaos.
Anthony Curtis: Nobody knew what to do and including the employees. The employees just had to, you know, beg forgiveness and patience.
Bill Hornbuckle (at October conference): Look, it’s corporate terrorism at its finest.
The company declined our interview request, but at a conference a month after the hack, MGM’s CEO admitted the disruptions were devastating.
Bill Hornbuckle (at October conference): For the next four or five days with 36,000 hotel rooms and some regional properties we were completely in the dark.
The hackers demanded $30 million to unlock MGM’s data. The company refused. But they still paid a price – $100 million in lost revenue and millions more to rebuild their servers.
So how did the intruders get in? Through a technique of deception and manipulation called social engineering. First hackers zeroed in on an employee, gathering information from the dark web and open sources like LinkedIn. Next, a smooth-talking hacker, impersonating the employee, called the MGM Tech Help Desk and convinced them to reset his password.
With that, the hacker was inside MGM’s computers and unleashed the destructive malware. Anthony Curtis says it was the cybercriminal’s version of an Ocean’s Eleven heist.
Anthony Curtis: They’re doing it the old-fashioned way. I mean, they’re doin’ it the new way but with the old-fashioned goal. They wanna get the money.
Bill Whitaker: What do you make of that?
Anthony Curtis: I don’t wanna be too glowing like I– like I like these guys ’cause they’re– they’re just crooks, right? But these hackers were able to turn the tables. The casinos have their– they have their systems. They have their protections. They have their experts. They have their security. These guys are better.
Later, MGM’s biggest competitor, Caesars, admitted it also suffered a social engineering attack around the same time, suspected by the same group. But Caesars paid a ransom, reportedly $15 million, and suffered no disruptions.
Bryan Vorndran: From an FBI perspective, our position is we recommend a ransom not be paid. But we understand it’s a business decision during a time of crisis.
Bryan Vorndran
60 Minutes
Bryan Vorndran is head of the FBI’s Cyber Division. He told us ransomware attacks have grown increasingly brazen.
Bryan Vorndran: Any way you look at the numbers it’s a problem for the global economy, and for the U.S. economy, and for the security of the United States. There’s estimates that global losses exceed $1 billion U.S. per year.
Bill Whitaker: Have you made any arrests in the Las Vegas cases?
Bryan Vorndran: We’re not gonna talk about specific cases or specific companies.
But he did point us toward the prime suspect.
Bryan Vorndran: When we talk about the actors behind some of the more recent ransomware attacks, the name that’s generally raised is Scattered Spider. And that’s a criminal group that we have a lot of attention on because of the havoc they’re wreaking across the United States.
Scattered Spider is what the FBI calls a loose-knit web of predominantly native English-speaking hackers responsible for the casino hacks – and dozens more. Their specialty is social engineering.
Allison Nixon: Part of their success is because they are fluent in Western culture. They know how our society works. They know what to say to get someone to do something.
Allison Nixon is chief research officer at Unit 221b, a cybersecurity firm that focuses on English-speaking cybercriminals. She says Scattered Spider is just one of many illicit hacking groups — all part of a sprawling collection of online criminals calling themselves “the Community, “or “the Com.”
Allison Nixon: The Com is a subculture. It is specifically an English-speaking youth subculture that has arisen in the past few years. It’s very new, but it’s surprisingly disruptive.
Members of the Com have hacked into companies like Microsoft, Nvidia, and Electronic Arts.
Bill Whitaker: How many people are involved?
Allison Nixon: Years ago, it was maybe a few hundred people. But since 2018 the population has exploded because of the money coming into these groups. And there’s thousands of people involved at this point.
Bill Whitaker: How are they connected?
Allison Nixon: They connect over the internet. Social spaces where people hang out. Gaming servers. It’s almost analogous to like maybe the back alley where the bad kids hang out but on the internet.
Allison Nixon
60 Minutes
Bill Whitaker: How old are we talking about?
Allison Nixon: Males under the age of 25.
Bill Whitaker: Under 25 down to how young?
Allison Nixon: Like 13, 14.
Bill Whitaker: Involved in pulling off major crimes?
Allison Nixon: Yeah.
Members communicate and post pictures on messaging apps like Telegram – their chatter, a toxic stew of racism, sexism… boasting about the money they’ve scammed, and how menacing they are.
Allison Nixon: There are these toxic online spaces where young people can socialize and mingle with criminals and gang members. And the end result of all of this is this online subculture has formed that glorifies crime, that measures one’s personal worth by how much harm they can cause the world.
Scattered Spider is one of the most sophisticated offshoots of “the Com.” Their criminal exploits caught the attention of cybersecurity companies… and other hackers… including the most notorious Russian ransomware gang, BlackCat. They saw the young native English-speaking Westerners as a force multiplier. Both claimed credit for the MGM attack.
Allison Nixon: Historically speaking, Russian cyber criminals did not like working with Western cyber criminals. There was not only a language barrier, but also they kinda looked down on them and viewed them as unprofessional.
The Russian and Western hackers met in the shadowy corners of the dark web and now are powerful partners in crime. Scattered Spider uses its English and social engineering skills to break into Western companies’ networks. BlackCat provides its experience and its malware – used in some of the most shocking ransomware attacks.
…. including the 2021 attack on Colonial Pipeline, which caused gas shortages up and down the East Coast… and this year’s attack on UnitedHealth Group, which disrupted pharmacies nationwide. The State Department is offering a $15 million reward for information on Russia’s BlackCat.
Jon DiMaggio, a former analyst at the National Security Agency, now investigates ransomware as chief security strategist for the cybersecurity company Analyst1.
Jon DiMaggio: So there’s a term. It’s called “ransomware as a service,” that’s been given to the structure and the format of these gangs.
Jon DiMaggio with Bill Whitaker
60 Minutes
DiMaggio says “ransomware as a service” has taken the crime to a new level. The long-established Russian gangs, like BlackCat, offer their services – malware, experience negotiating ransoms and laundering money – to what they call “affiliates,” like Scattered Spider.
Jon DiMaggio: So in return, when a victim pays an extortion, the profit that comes from it is now shared amongst those criminals.
The most successful Russian gangs are run like legitimate companies with easy-to-navigate online platforms… 24-hour service desks … even human resources to hire software developers.
Jon DiMaggio: There are people that specialize in developing malware and ransomware, and they’re in very high demand.
Bill Whitaker: You said you’ve gotten to know some of these people.
Jon DiMaggio: Yes.
Bill Whitaker: Are they mostly young men?
Jon DiMaggio: The leadership are– are, you know, people in their 40s, late 30s. They’re people who’ve got experience. They’re people that have a financial background.
DiMaggio says the Russian government provides a safe haven for ransomware gangs.
Jon DiMaggio: As long as they don’t target, you know, an organization that falls within Russia or the former Soviet state, they don’t get prosecuted. It’s not considered a crime.
Bill Whitaker: It’s not considered a crime to attack American businesses?
Jon DiMaggio: It’s crazy, right? That’s– that’s how it works though.
Bill Whitaker: So it’s like they operate with impunity.
Jon DiMaggio: 100%. That’s the whole reason why this is such a popular crime.
Russian ransomware has become such a threat…the elite cyber warriors at the National Security Agency have joined the fight.
Before retiring last month, Rob Joyce was NSA’s director of cybersecurity. He told us the Colonial Pipeline attack was a wake-up call.
Rob Joyce
60 Minutes
Rob Joyce: It caused us to step back and decide that we had to put more resources into this foreign threat. So one of the things NSA has, we have hackers. And it really, at times, takes a hacker to defeat a hacker. That’s the value NSA can bring is, we can identify people, specific people involved in some of these activities.
The NSA helped identify the Russian hacker responsible for the Colonial Pipeline attack. And in January 2022 – after months of negotiations – Russia arrested him and other accomplices. But five weeks later – it all came undone.
Rob Joyce: Following the Ukraine invasion, those people were let outta jail.
Bill Whitaker: So they’re back in business?
Rob Joyce: Yes, sir.
And now, they’ve teamed up with the young native English speakers of Scattered Spider. The FBI’s Bryan Vorndran calls it an evolution of cybercrime.
Bryan Vorndran: In the case of Scattered Spider, is it powerful that they are with BlackCat? Of course. I think that it’s important to know that we are against a very capable set of adversaries, they’re very good at their work. We’re also very good at our work.
In January, the Bureau arrested a 19-year-old from Florida, Noah Urban, charged with stealing cryptocurrency. He’s pleaded not guilty. Cyber investigators have tied him to Scattered Spider, but so far not to the casino heists. The Scattered Spider hackers who did pull off the attack are still online – hiding in plain sight – in unholy alliance with Russians. Allison Nixon calls Las Vegas a harbinger.
Allison Nixon: The level of cybercrime has risen to the point where it feels overwhelming. And every year it gets worse. And it feels like as defenders we’re– it’s almost like we’re winning every battle and losing the war.
Produced by Graham Messick. Associate producer, Jack Weingart. Field associate producer, Eliza Costas. Broadcast associate, Mariah B. Campbell. Edited by Matthew Lev.
Bill Whitaker is an award-winning journalist and 60 Minutes correspondent who has covered major news stories, domestically and across the globe, for more than four decades with CBS News.
LONDON — Britain’s government is expected to blame a string of cyberattacks targeting the U.K.’s election watchdog and lawmakers on hackers linked to the Chinese government,
Officials are expected to announce Monday measures against cyber organizations and individuals affiliated with the Chinese government for an attack that may have gained access to information on tens of millions of U.K. voters held by the Electoral Commission, as well as cyberattacks targeting lawmakers who have been outspoken about the China threat.
The Electoral Commission said in August that it identified a cyberattack on its system in October 2022, though it added that “hostile actors” had first been able to access its servers since 2021.
At the time, the watchdog said the data included the names and addresses of registered voters. But it added that much of the information was already in the public domain, and that possessing such information was unlikely to influence election results.
Separately, three lawmakers, including former Conservative Party leader Iain Duncan Smith and a member of the House of Lords, were reportedly called to a briefing by Parliament’s security director Monday over the cyberattacks.
The four politicians are members of the Inter-Parliamentary Alliance on China, an international pressure group focused on countering Beijing’s growing influence and calling out alleged rights abuses by the Chinese government.
Deputy Prime Minister Oliver Dowden is expected to give details in Parliament later Monday.
Ahead of that announcement, Prime Minister Rishi Sunak reiterated that China is “behaving in an increasingly assertive way abroad” and is “the greatest state-based threat to our economic security.”
“It’s right that we take measures to protect ourselves, which is what we are doing,” he said, without providing details.
Responding to the reports, China’s Ministry of Foreign Affairs said countries should base their claims on evidence rather than “smear” others without factual basis.
“Cybersecurity issues should not be politicized,” ministry spokesperson Lin Jian said. “We hope all parties will stop spreading false information, take a responsible attitude, and work together to maintain peace and security in cyberspace.”
FILE – French Prime Minister Gabriel Attal gestures as he speaks during the first session of questions to the new government at the National Assembly in Paris, Tuesday, Jan. 16, 2024. The French government said Monday, March 11, 2024 that several of its services are being targeted by cyberattacks of ‘’unprecedented intensity,’’ and a special crisis center was activated to restore online services. In a statement, Prime Minister Gabriel Attal’s office said the attacks started Sunday night and hit multiple government ministries, without providing details. (AP Photo/Michel Euler, File)
Washington — A cyberattack on the health technology provider Change Healthcare is wreaking havoc nationwide, as some hospitals and pharmacies cannot get paid, and many patients are unable to get prescriptions.
Change Healthcare is a subsidiary of the UnitedHealth Group, one of the nation’s largest healthcare companies. In a federal filing this week, UnitedHealth said that Change Healthcare first discovered the hack on Feb. 21, disconnecting impacted systems “immediately.”
“So I mean we’ve seen a lot of claims coming through as a rejected claim, where obviously the insurance provider are not able to pay because of this attack,” said Amrish Patel, a pharmacist in Dallas, Texas. “Elderly patients that have a fixed income, and they’re trying to get their medicine…unfortunately there’s no way around it at this point.”
Change Healthcare says it processes 15 billion transactions annually, touching one in three U.S. patient records.
“I can tell you that this cyberattack has affected every hospital in the country one way or another,” said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association.
“It’s not a data crime, it’s not a white-collar crime, these are threats to life,” Riggi added.
In a since-deleted post on the dark web, a Russian-speaking ransomware group known as Blackcat claimed responsibility, alleging they stole more than six terabytes of data, including “sensitive” medical records.
“Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” UnitedHealth told CBS News in a statement Thursday of Blackcat’s claim. “Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems.”
UnitedHealth added that its investigation has so far provided “no indication” that the systems of its other subsidiaries — Optum, UnitedHealthcare and UnitedHealth Group — “have been affected by this issue.”
Change Healthcare says it has established workarounds for payment, but more than one week after the hack was first detected, systems remain down, creating billing headaches for hospitals and pharmacies. Smaller hospitals are particularly vulnerable.
“The smaller, less resourced hospitals, our safety net critical access rural hospitals, certainly do not operate with months of cash reserves,” Riggi said. “Could be just a matter of days, or a couple of weeks.”
In a previous statement Wednesday, UnitedHealth estimated that more than 90% of the nation’s pharmacies “have modified electronic claim processing to mitigate impacts” of the cyberattack, and “the remainder have offline processing workarounds.”
UnitedHealth has not provided an estimate on when it believes its systems will return to normal. The FBI is also investigating.
For many organizations and startups, 2023 was a rough year financially, with companies struggling to raise money and others making cuts to survive. Ransomware and extortion gangs, on the other hand, had a record-breaking year in earnings, if recent reports are anything to go by.
It’s hardly surprising when you look at the state of the ransomware landscape. Last year saw hackers continue to evolve their tactics to become scrappier and more extreme in efforts to pressure victims into paying their increasingly exorbitant ransom demands. This escalation in tactics, along with the fact that governments have stopped short of banning ransom payments, led to 2023 becoming the most lucrative year yet for ransomware gangs.
That’s the highest figure ever observed, and almost double the amount of known ransom payments tracked in 2022. But Chainalysis said the actual figure is likely far higher than the $1.1 billion in ransom payments it has witnessed so far.
There’s a glimmer of good news, though. While 2023 was overall a bumper year for ransomware gangs, other hacker-watchers observed a drop in payments toward the end of the year.
This drop is a result of improved cyber defenses and resiliency, along with the growing sentiment that most victim organizations don’t trust hackers to keep their promises or delete any stolen data as they claim. “This has led to better guidance to victims and fewer payments for intangible assurances,” according to ransomware remediation company Coveware.
Record-breaking ransoms
While more ransomware victims are refusing to line the pockets of hackers, ransomware gangs are compensating for this drop in earnings by increasing the number of victims they target.
Take the MOVEit campaign. This huge hack saw the prolific Russia-linked Clop ransomware gang mass-exploit a never-before-seen vulnerability in the widely used MOVEit Transfer software to steal data from the systems of more than 2,700 victim organizations. Many of the victims are known to have paid the hacking group in efforts to prevent the publication of sensitive data.
While it’s impossible to know exactly how much money the mass-hack made for the ransomware group, Chainalysis said in its report that Clop’s MOVEit campaign amassed over $100 million in ransom payments, and accounted for almost half of all ransomware value received in June and July 2023 during the height of this mass-hack.
MOVEit was by no means the only money-making campaign of 2023.
In September, casino and entertainment giant Caesars paid roughly $15 million to hackers to prevent the disclosure of customer data stolen during an August cyberattack.
This multimillion-dollar payment perhaps illustrates why ransomware actors continue to make so much money: the Caesars attack barely made it into the news, while a subsequent attack on hotel giant MGM Resorts — which has so far cost the company $100 million to recover from — dominated headlines for weeks. MGM’s refusal to pay the ransom led to the hackers’ release of sensitive MGM customer data, including names, Social Security numbers and passport details. Caesars — outwardly at least — appeared largely unscathed, even if by its own admission could not guarantee that the ransomware gang would delete the company’s stolen data.
Escalating threats
For many organizations, like Caesars, paying the ransom demand seems like the easiest option to avoid a public relations nightmare. But as the ransom money dries up, ransomware and extortion gangs are upping the ante and resorting to escalating tactics and extreme threats.
We also saw the notorious Alphv (known as BlackCat) ransomware gang weaponize the U.S. government’s new data breach disclosure rules against MeridianLink, one of the gang’s many victims. Alphv accused MeridianLink of allegedly failing to publicly disclose what the gang called “a significant breach compromising customer data and operational information,” for which the gang took credit.
No ban on ransom payments
Another reason ransomware continues to be lucrative for hackers is that while not advised, there’s nothing stopping organizations paying up — unless, of course, the hackers have been sanctioned.
To pay or not to pay the ransom is a controversial subject. Ransomware remediator Coveware suggests that if a ransom payment ban was imposed in the U.S. or any other highly victimized country, companies would likely stop reporting these incidents to the authorities, reversing past cooperation between victims and law enforcement agencies. The company also predicts that a ransom payments ban would lead to the overnight creation of a large illegal market for facilitating ransomware payments.
Others, however, believe a blanket ban is the only way to ensure ransomware hackers can’t continue to line their pockets — at least in the short term.
Allan Liska, a threat intelligence analyst at Recorded Future, has long opposed banning ransom payments — but now believes that for as long as ransom payments remain lawful, cybercriminals will do whatever it takes to collect them.
“I’ve resisted the idea of blanket bans on ransom payments for years, but I think that has to change,” Liska told TechCrunch. “Ransomware is getting worse, not just in the number of attacks but in the aggressive nature of the attacks and the groups behind them.”
“A ban on ransom payments will be painful and, if history is any guide, will likely lead to a short-term increase in ransomware attacks, but it seems like this is the only solution that has a chance of long-term success at this point,” said Liska.
While more victims are realizing that paying the hackers cannot guarantee the safety of their data, it’s clear that these financially motivated cybercriminals aren’t giving up their lavish lifestyles anytime soon. Until then, ransomware attacks will remain a major money-making exercise for the hackers behind them.
John Dickerson reports on a push from President Biden to protect civilian lives in Gaza, Donald Trump’s comments on NATO, and how Chinese hackers are getting into U.S. infrastructure.
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.
