US Health Department Experiences Cyber Attack during Mounting COVID-19 Concerns

The US Department of Health and Human Services (HHS) confirmed that it had experienced a cyber attack the previous Sunday, 15 March. This is particularly worrying as it comes at a time where both local and international health agencies are struggling to battle the ongoing spread of COVID-19, otherwise known as the Coronavirus. The incident was first reported by Bloomberg, in that article, an anonymous source was cited as saying the incident involved “multiple incidents” and appeared to be designed to slow the department’s systems. However, they did “not do so in any meaningful way”, the article said. Further, the article said that the attack was linked to a text message-based disinformation campaign that wrongly suggested that there would be a nationwide quarantine on Monday.

A spokesperson for the department said that the department became aware of the attack when a significant increase in activity on the HHS’s cyber infrastructure was detected but remains fully operational.

us health department experiences ddos attack

Caitlin Oakley, the spokesperson, further stated,

“Early on while preparing and responding to Covid-19, HHS put extra protections in place. We are co-ordinating with federal law enforcement and remain vigilant and focused on ensuring the integrity of our IT infrastructure,” Health and Human Services Secretary Alex Azar said, at a White House briefing on the coronavirus the following Monday, that “We had no penetration into our networks, we had no degradation of the functioning of our networks,”

Exact details about the attack are few and far between. If the source cited in the Bloomberg article is correct then Sunday’s attack may have been a distributed denial-of-service attack (DDoS) commonly carried out by malicious Botnet networks. The incident follows a warning issued by the Department of Homeland Security urging companies to adopt heightened security measures. The warning states,

“As organizations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19), many may consider alternate workplace options for their employees. Remote work options—or telework—require an enterprise virtual private network (VPN) solution to connect employees to an organization’s information technology (IT) network. As organizations elect to implement telework, the Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations to adopt a heightened state of cybersecurity.”

COVID-19 Been Leveraged by Attackers

In early February we published an article detailing how hackers began using the Coronavirus in a variety of phishing campaigns. In one attack campaign been distributed by the infamous botnet, Emotet, was seen distributing phishing emails with the express purpose of harvesting the victim’s credentials. This trend has nothing but gained momentum with the rise of the pandemic. On March 13, 2020, reports emerged that the Brno University Hospital, in the city of Brno, Czech Republic, has been hit by a cyberattack right in the middle of a COVID-19 outbreak that is increasing case numbers in the European country daily. The incident was deemed serious enough to postpone urgent surgical interventions, and re-route new acute patients to nearby St. Anne's University Hospital.

The incident did not involve the exploitation of the COVID-19 virus like the phishing campaign alluded to above. The serious nature of the attack can be attributed to the hospital been a COVID-19 testing center. The attack could have impacted hospital duties in this regard and shows what little regard certain hackers and state-sponsored groups have for those fighting the pandemic and those potentially affected by it. One such group is a Chinese government state-sponsored group known as Vicious Panda, also known as Pirate Panda and Key Boy. The group has been designated as APT23 by security firms and law enforcement agencies tracking their activity. In CrowdStrike’s 2020 Global Threat Report, Pirate Panda activities were set out as,

“CrowdStrike Intelligence identified new PIRATE PANDA activity that showed the adversary began to use the 8.t exploit document builder to target Mongolia from March to April, and then again in November against Vietnam.”

Activity directed at Mongolia does not appear to have ended in March of 2019. A new campaign directed at the Mongolian public sector has been discovered by security firm Check Point. In a report detailing the campaign researchers discovered that the group was taking advantage of the COVID-19 pandemic to distribute a previously unknown malware strain. The COVID-19 virus is exploited in the means of lure documents allegedly from the Mongolian Ministry of Foreign Affairs. The lure is a file sent via email which contains a weaponized Remote Access Trojan named RoyalRoad, a piece of malware attributed to several Chinese state-sponsored groups. The malware itself is designed to exploit the Equation Editor vulnerabilities in Microsoft Word. Researchers concluded that,

“In this campaign, we observed the latest iteration of what seems to be a long-running Chinese-based operation against a variety of governments and organizations worldwide. This specific campaign leverages the COVID-19 pandemic to lure victims to trigger the infection chain…The attackers updated their toolset from documents with macros and older RTF exploits to the latest variation of the “RoyalRoad” RTF exploit-builder observed in the wild…The full intention of this Chinese APT group is still a mystery, but it is clear they are here to stay and will update their tools and do whatever it takes to attract new victims to their network.”

It is clear that governments and healthcare facilities not only have to combat a life-threatening, and certainly life-altering pandemic, but still have to deal with the machinations of hackers. It is hoped that the continued attacks on hospitals and the greater healthcare ecosystem are not hampered too severely by cyber attacks while combatting the spread of COVID-19.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal