Cipher's X63 Unit identifies the cybercriminals threatening the healthcare sector

Madrid, 16 april, 2024 - Healthcare is one of the most important sector for societies around the world, but has been a target for cybercriminals for years: a 2023 report by the European Union’s Cybersecurity Agency (ENISA), notes that 53% of cyber incidents were against healthcare providers, with hospitals being the main target.

Around 40 million patients are estimated to have been affected by leaks of their personal data, medical records and other confidential information over the past year, an all-time high. Equally serious are the consequences of the attacks for the normal development of a service aimed at guaranteeing people's right to health and well-being. In addition, the economic impact is potentially high, with the healthcare sector registering the largest data breaches, at a cost of almost $11 million.

In response, the x63 Unit, the multidisciplinary cyberintelligence division set up by Cipher (the cybersecurity division of the Prosegur Group) is focusing on gaining an exhaustive knowledge of digital adversaries in the healthcare sector, identifying their tools and analyzing the vulnerabilities they feed on. This will make it possible to extend the security limits established by traditional measures, anticipate and act proactively in the face of possible attacks.

So far, x63 has analyzed nearly a hundred vulnerabilities exploited by cybercriminals in the healthcare sector, and in a recent report identified the main actors responsible for cyber attacks in the sector in recent years:

1. Ransomware: the most prominent players in 2023 within the ransomware arena were RansomHouse, Lockbit and Blackcat. The first specializes in attacks aimed at exposing critical vulnerabilities in data security. Lockbit is a high-risk adversary due to its constant technical evolution. Blackcat, implementing ransomware-as-a-service, uses advanced techniques to significantly compromise systems.

2. Advanced Persistent Threat (APT): x63Unit's research shows that APT groups tend to focus on espionage and their main mission is usually to extract sensitive information. In this regard, FIN8, APT41 and APT22 represent the biggest espionage threats, with FIN8 focused on compromising POS terminals to steal financial information. APT41 runs global espionage campaigns, attacking critical healthcare infrastructures, while APT22 specializes in prolonged attacks against cancer research, exploiting vulnerabilities in public web services.

3. Hacktivism: which brings together hacking and activism, is based on the use of technology to promote social or political causes. Hacktivist groups have also focused on the healthcare sector, mainly on DDoS (distributed denial of service) attacks, which can be very damaging when they affect critical services. Groups such as Killnet, now Black Skills, and Anonymous Sudan, resort to tactics such as DDoS to push political and social agendas, directly affecting essential healthcare services.

4. IABs (Initial Access Brokers): actors specialized in selling access to companies, making it easier for other cybercriminals to execute their attacks. x63Unit has identified Sapphire, Olive and Teal Cosmos Taurus as the most prominent IABs, which provide attackers with access to internal networks. Sapphire, meanwhile, specializes in healthcare intranets, Olive’s activities are diversified, while Teal focuses on selling access to oncology research infrastructures.

5. Leak vendors: these are players dedicated to the unauthorized disclosure of confidential information. Jade, Violet and Bronze Cosmos Taurus market confidential information, from credentials to patient databases, exposing both individuals and entities in the healthcare infrastructure.

The healthcare sector, a critical pillar in society, faces increasingly sophisticated cyber threats, meticulously identified in the report: 68 key vulnerabilities targeting healthcare systems. This detailed analysis maps the risks associated with actors such as RansomHouse in ransomware and APT groups such as FIN8, which compromise sensitive data and point-of-sale systems. The information gained translates into prevention and early action strategies, enabling healthcare organizations to improve their defenses and resilience against DDoS attacks and other incursions. Threat intelligence is an ally in facilitating more robust security, ensuring that healthcare remains safe and efficient.