DC Health Link Breach Could Lead to Lawmaker Blackmail, Extortion
A Russian-linked cybercriminal could be behind the breach.
Shutterstock
Saryu Nayyar is founder and CEO of Gurucul. She said the line between state-sponsored threat actor groups and actual nation-state attacks is a gray area.
“Collecting personal data, especially health care information about individuals and their families, can have catastrophic consequences as this data can be easily used for blackmail and extortion of our nation’s lawmakers, whether this data is sold to our enemies or directly stolen by them,” she said. “The results of these attacks can obviously go beyond personal or financial gain against our lawmakers, and bleed into how they approach public policy and voting. The government must focus beyond just securing our critical infrastructure or military installations, and focus on a widespread policy that leverages the most innovative and advanced technology for monitoring users, systems and data. This includes early warning threat detection, investigation and response systems leveraging identity and behavioral analytics working in conjunction with traditional methods to identify threat actor activity early in the kill chain.
Relying on established and cheaper solutions versus more advanced and customizable solutions will continue to hamper our ability to protect our people, resources, businesses and intellectual property,” she said.
Nick Tausek is lead security automation architect at Swimlane. He said although no hacking group has yet claimed the attack, notorious threat actor IntelBroker is selling the stolen information on a hacking forum.
“It goes without saying that government officials are extremely hot targets for cybercriminals given their status, power and the level of chaos that can ensue when these officials’ personal information is released to the public,” he said. “IntelBroker is already requesting payment in the form of cryptocurrency in exchange for the stolen information, so it is likely that this breach could turn into a ransom situation, with the government facing great pressure to resolve the situation given the level of confidentiality that comes along with the officials targeted. In the event that this does become a ransom situation, however, the federal government should abide by its own advice and not pay the ransom. After all, paying the ransom does nothing to ensure that the data is not still sold, or utilized as leverage in a multiple-extortion campaign.”
Joseph Carson is chief security scientist and advisory CISO at Delinea. He said this latest data breach and theft of health records appears to be “just another opportunistic cyberattack with a motive to make money for the cybercriminals behind the attack.”
“I don’t believe the attackers really care whose records they stole, just that they are sensitive enough that someone is willing to pay them for it,” he said. “If this was a targeted breach focused on specific persons of interest, then we would not hear about it nor would the records be for sale as targeted attacks tend to be more stealthy and the attackers would not be selling them onwards. Moving forward, I believe the attackers will likely want to lie low for a period of time due to the high visibility of the victims and attention they are now getting along with the FBI getting involved.”
Andrew Barratt is vice president of Coalfire. He said health care data is a fairly attractive target that’s usually sold, and then used to mount fraudulent claims.
“Unless those congresspeople had divulged their health care network openly somewhere, it’s probable that they’re just victims in this the same as everyone else affected,” he said. “However, it could have been deliberate, but seems a very roundabout way to take on a congressperson. Typically a spear phishing or catphishing exercise would be done against valuable targets rather than a huge land grab.”
The FBI is often engaged in these sort of large-scale offenses, Barratt said. It puts more of a lens on it in case there is some nation-state support involved.
“If there had been credit card data and other monetary instruments exposed, they might have felt the wrath of both the FBI and the Secret Service,” he said. “Both, unbeknown to many, are very active in supporting the nation’s defenses against cybercrime.”
The threat actor(s) will likely try to monetize the data in pockets, Barratt said.
“Depending on the structure of the data and if there are ‘canaries’ in the data, it may well be carved up and ‘washed’ with other data sets making the origins difficult to establish,” he said. “This is where data canaries can be useful. These are records that are left in the underlying data structure – that appear on the surface to be valid – a sort of John Doe if you will – but that have specific characteristics deliberately randomized and made unique that they can be used to attribute a block of data to a probable source.”
Avishai Avivi is SafeBreach‘s CISO. He’s cautiously optimistic that the breach isn’t as bad as it could have been. That’s because a limited amount of personally identifiable information (PII) was exposed.
“Considering this was a health exchange, the data exposed could have easily included protected health information (PHI),” he said. “While malicious actors can try and use the data included in the breach to attempt further breaches, the PII elements in question are not too dangerous. To those of us who remember the days before the internet exploded, phone companies used to distribute free books with thousands of PII records including full names, physical address and phone numbers.”
This is not meant to diminish the severity of this breach, Avivi said. And until we understand more about the full scope of the incident, he recommends all potential victims of this breach raise their level of awareness to unusual or suspicious messaging.
“One example would be unsolicited phone calls or emails from someone claiming to represent DC Health, looking to verify information, or even trying to prompt the individual to log in using a link provided to change their password,” he said. “These should be considered highly suspicious, and should be reported to the authorities.”
Darren James is senior product manager at Specops Software. He said the sensitivity of data and the high-stakes pressure make any health care organization a high-value target for cybercriminals.
“The fact that DC Health Link is handling PII for members of Congress will raise awareness of the importance of reviewing cybersecurity policies for your own organization, as well as suppliers,” he said. “User access safeguards are usually protecting PII, so securing complex enterprise systems requires a dynamic multifaceted approach. Ensure you require both strong passwords and multifactor authentication (MFA) to access critical systems, ensure all systems are regularly patched against known vulnerabilities, offer training for all users to help them quickly identify and report irregular behavior, and test your backups and business continuity plans so that you can be sure you are ready when needed.”
Darren James is senior product manager at Specops Software. He said the sensitivity of data and the high-stakes pressure make any health care organization a high-value target for cybercriminals.
“The fact that DC Health Link is handling PII for members of Congress will raise awareness of the importance of reviewing cybersecurity policies for your own organization, as well as suppliers,” he said. “User access safeguards are usually protecting PII, so securing complex enterprise systems requires a dynamic multifaceted approach. Ensure you require both strong passwords and multifactor authentication (MFA) to access critical systems, ensure all systems are regularly patched against known vulnerabilities, offer training for all users to help them quickly identify and report irregular behavior, and test your backups and business continuity plans so that you can be sure you are ready when needed.”
DC Health Link, the Washington, D.C., health insurance marketplace, recently suffered a breach impacting more than 56,400 customers. That list includes federal lawmakers and their families.
One cybersecurity expert said the stolen data could easily be used for blackmailing and extorting lawmakers.
DC Health Link confirmed the breach on its website. It said the breach has impacted 56,415 customers. Among the stolen data are names, Social Security numbers, dates of birth, gender, health plan information, employer information and enrollee information.
The health insurance marketplace has offered impacted customers three years of free identity and credit monitoring for all three major credit bureaus. It’s also offering three years of monitoring to all other customers.
In the meantime, DC Health Link said the investigation into the breach is continuing. It also said its services are running normally and “we continue to operate in a state of heightened alert.”
Cybersecurity analyst Chris Krebs on Sunday told CBS News that a Russian-linked cybercriminal is likely behind this breach.
“Russia allows a very pervasive environment and permissive environment for cybercriminals,” he said. “It actually helps the kind of broader Russian strategic objective to undermine confidence in the U.S.’s ability to protect citizens. It actually brings a significant amount of revenue into Russia.”
Scroll through our slideshow above for the very latest on the DC Health Link breach.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like