UnitedHealth Group Change Health hack

Posted in :

stlplace
Reading Time: 4 minutes

(12-19-2024) How the ransomware attack at Change Healthcare went down: A timeline

(04-09-2024) Change Healthcare faces second ransomware dilemma weeks after ALPHV attack || So in summary, ransomware attack poses two threats: 1) Loss of data, if they bad guys encrypts the data; 2) Leak of data, in the case a company or an organization (the victim) restores the data from backup (without paying the attacker), the attacker can threat to leak the data online (or sell the data to other bad guys in a black market etc.), so basically this is what happened here.

(03-09-2024) I first heard about this a few weeks ago, something like below:

美最大医保网遇网攻或来自外国黑客万余药房受干扰

Note it was not in the mainstream news at least not covered heavily in the network TV and so on, initially. Until its impact are felt by both providers and the patients. Below are some more recent coverages.

Cyberattack Paralyzes the Largest US Health Care Payment System – The New York Times || https://twitter.com/ryanstellar/status/1763666449988751373 || https://twitter.com/zackkanter/status/1765170835919143293 || 

https://twitter.com/Lis86274333/status/1763351768002355431 || 

EXPLAINER: What to Know About the Change Healthcare Cyberattack | Health News 

Change Healthcare has acknowledged the hack, which reportedly affected billing and care authorization portals. It’s led to prescription backlogs and missed revenue for providers, posing potential threats to worker paychecks and even patient care.

“Our experts are working to address the matter, and we are working closely with law enforcement and leading third-party consultants such as Mandiant and Palo Alto Networks on this attack against Change Healthcare’s systems,” Change Healthcare said. “We are actively working to understand the impact to members, patients and customers.”

(My take, lesson learned: cyber security best practice; collect the data that’s only necessary) 

“The Russian-speaking cybercriminal gang known as AlphV and Blackcat claimed responsibility and said on its darkweb site that it exfiltrated 6 TB of data in the attack against Change Healthcare.”

NPR: Health industry struggles to recover from cyberattack on a unit of UnitedHealth  

PBS has a few reports on that as well: such as this one – How a cyberattack crippled the U.S. health care system

For IT and security professionals

YT Video: 🔒 Ransomware Chaos -Part 2: UnitedHealth Drained…Dishonor among thieves🦹🏻 – The Briefing (thanks to Ryan⭐ Stellar and Mike Martinelli for the YT video; same below)

YT Video: 🔒 Ransomware Chaos: UnitedHealthcare Under Attack by BlackCat Hackers!…youtube.com (this is part 1)

BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare – Krebs on Security On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online.

https://twitter.com/zackkanter/status/1765170835919143293 (technical explanation of EDI and Change Healthcare)

Related Incidents

This Change Health incident somehow reminds me of the SolarWind hack a few years ago. It seems Microsoft has some more work to do, as they are still a popular target for hackers.

SolarWinds hack explained: Everything you need to know2020 United States federal government data breach – Wikipedia Microsoft exploits || SolarWinds exploit

A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack

“The tradecraft was phenomenal,” said Adam Meyers, who led the cyber forensics team that pawed through that tainted update on behalf of SolarWinds, providing details for the first time about what they found. The code was elegant and innovative, he said, and then added, “This was the craziest f***ing thing I’d ever seen.”

The hackers didn’t do anything fancy to give them the domestic footprint, officials confirmed. In fact, they just rented servers from Amazon and GoDaddy.

SWI stock has not done too much in last 5 years mostly due to this attack.

Also the Kronos attack which received less media attention (somewhat similar to the UnitedHealth hack). I recall this incident because around at time I was working on a Kronos based project (app, the official name of the app is Ascension Nurse Center of Excellence). It didn’t work out due to various reasons, after the company sunk millions of dollars on the project.

(The Garmin breach/incident happened in the year 2020, Velo) How did the Garmin cyber attack happen, and what does it mean for users? || 6 Things to Learn from the Garmin Security Breach (Terranova Security)

Some other question: 

Legality aside, paying the ransom encourages the hackers? See also Incident Of The Week: Garmin Pays $10 Million To Ransomware Hackers Who Rendered Systems Useless. But from a business’s perspective, they are usually between a rock and a hard place: meaning if they don’t pay, they usually don’t know how long it will take them to recover the data, if at all; or if they pay up, they essentially are working with the bad guy (or encouraging the bad guy).

Can we ever negotiate or trust the hackers (the bad guys)? || This somehow reminded me of my personal experience when I was working for one of the major credit card company (their loyalty and rewards platform), and at one time I was assigned to investigate the root cause of an incident in which the bad guys (or girls) logged into some cardholers’s loyalty redemption website quickly after the website launch, and redeemed their points for air tickets or hotel bookings. At the time, amid the tedious work, I asked myself: how come in this world there are evil people like that?

Another question I had for the UnitedHealth Group (Change Healthcare) hacking: if this is the notorious Russian hacking group BlackCat, can the US government do something about it (hint: retaliation)?

(Update 03-24-2024) It seems Panera Bread, which probblay has 2,000 stores in the US, had just experienced a similar issue.

Panera Bread app and kiosk down since 03-23-2024 afternoon
I am speculating the root cause is ransomware attack

I recall few years ago Panera did have an incident – Panerabread.com Leaks Millions of Customer Records

%d bloggers like this: