image credit: Pexels

Cyberattacks During COVID-19 Crisis—Are Hospitals Secure?

April 8, 2020


The healthcare sector has witnessed a 150% increase in cyberattacks since the beginning of the year. With medical staff already overburdened and overworked by the demands brought on by COVID-19, healthcare organizations could be the perfect targets for various attacks. Discover the most significant healthcare cyberattacks during the COVID-19 crisis so far.

What Is at Stake?

Hospitals all around the world are notifying their staff about incoming threats. Various common attack types have already appeared, including a phishing email from a sender purporting to represent the World Health Organization (WHO) and a phishing email claiming to be from the Centers for Disease Control and Prevention (CDC). Both attempts allegedly featured vital information about how to prevent and treat the new coronavirus.

Similarly, thousands of emails containing attachments such as PDFs or Word document files that promise to provide vital information about COVID-19 are sent to hospital workers every day. As a result, security experts are issuing constant warnings to hospital staff alleging that such documents actually contain embedded malicious code that targets and infects computers.

Phishing Emails Impersonating WHO Representatives

Many hospital employees have been targeted by a phishing email claiming to come from World Health Organization Director Dr. Tedros Adhanom Ghebreyesus.

“These emails claiming to be from the World Health Organization are being delivered personalized by addressing the recipient by a username stripped out of the email address. They are also being delivered from Dr. Tedros Adhanom Ghebreyesus, Director-General of WHO instead of the organization, in general, to gain credibility with recipients,” according to IBM’s X-Force, which discovered the phishing scheme.

When a person opens the spam email and clicks on the attachment, malware is spread onto the computer and is able to steal credentials from the device. 

“It is remarkable how threat actors play with the fears and hopes of their potential victims. Speaking of prevention drugs and cures in an email that is spoofed to appear directly from the director of the WHO, in this current situation is expected to be highly successful,” the IBM X-Force team concluded.

On March 18th, security researchers from Malwarebytes announced they had identified a new phishing campaign designed to take advantage of public concerns over the coronavirus outbreak. In this particular campaign, threat actors used a fake e-book as a lure, claiming the “My Health E-book” includes complete research on the global pandemic, as well as guidance on how to protect children and businesses.

The email content goes on to tell readers that they can download and access the e-book from Windows computers only.

“[A]s soon as they execute the file inside the archive, malware will be downloaded onto their computers. As seen in the previous wave of spam, the malicious code is for a downloader called GuLoader. GuLoader is used to load the real payload, an information-stealing Trojan called FormBook, stored in encoded format on Google Drive. Formbook is one of the most popular info-stealers, thanks to its simplicity and its wide range of capabilities, including swiping content from the Windows clipboard, keylogging, and stealing browser data. Stolen data is sent back to a command and control server maintained by the threat actors.” Malwarebytes elaborated in a blog post.

Cyberattacks on Hospitals and COVID-19 Testing Facilities

On 12 and 13 March, the Brno University Hospital in the Czech Republic was hit by a major cyberattack, causing an immediate computer shutdown. “Gradually, the individual systems were falling, so all computers had to be shut down,” said hospital director Jaroslav Šterba. The hospital, which has one of the largest COVID-19 testing facilities in the Czech Republic, was forced to cancel operations and relocate new patients to other hospitals. The hospital is currently recovering capabilities, although it is not yet fully operational. 

Hammersmith Medicines Research, a UK-based medical facility that has plans to test coronavirus vaccines, has also been hit by an attack from one of the ransomware groupsMalcolm Boyce, managing and clinical director of HMR, told Computer Weekly that the cyberattack, which took place on March 14, was spotted in progress, stopped, and systems restored without paying any ransom.

“We repelled [the attack] and quickly restored all our functions. There was no downtime,” said Malcolm Boyce, adding that the organization had “beefed up” its defenses substantially.

What Will the Future Bring?

Security experts warn that cybercriminals are now creating and putting out thousands of coronavirus-related websites on a daily basis.

Threat intelligence firm RiskIQ is now publishing new lists of coronavirus-related domains on a daily basis, and the numbers are absolutely staggering. For example, RiskIQ saw more than 13,500 suspicious domains on Sunday, March 15; more than 35,000 domains the next day; and more than 17,000 domains the day after that.

In the midst of the global COVID-19 pandemic, many hackers have started to abuse the panic and discomfort to launch malware and phishing attacks worldwide. As hospitals and medical facilities are already at war with the new disease, their staff is more likely to fall victim to ransomware or phishing attacks. Now, more than ever, hospital managers should implement strong security policies.