Organizations in the US healthcare and public health sector are among the top targets for state-sponsored North Korean cyber-threat actors seeking to fund espionage activities via ransomware and other attacks.

That's the assessment of the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the US Department of Health and Human Services, and South Korean intelligence agencies. In a joint advisory Feb. 9, the group described the North Korean government as using revenues — in the form of cryptocurrency — from these ransomware attacks to fund other cyber operations that include spying on US and South Korean defense sector and defense industrial base organizations.

State-Sponsored Ransomware Attacks With a Mission

"The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives," the advisory said.

The alert also cautioned ransomware victims in healthcare and critical infrastructure sectors against paying ransoms. "Doing so does not guarantee files and records will be recovered and may pose sanctions risks," it said.

There is little in the advisory to indicate whether it was prompted by new threat intelligence or word about imminent attacks. But it comes amid a continuing increase in ransomware attacks against healthcare entities overall. A report by the Journal of the American Medical Association (JAMA) earlier this year identified a doubling in the number of ransomware attacks against healthcare entities between 2016 and 2021. Of the total 374 ransomware attacks on US healthcare organizations during that period, some 44% disrupted heathcare delivery.

The most common disruptions included systems downtime, cancellations of scheduled care, and ambulance diversions. JAMA's study found an increase especially in ransomware attacks against large healthcare organizations with multiple facilities between 2016 and 2021.

A June 2022 report from Sophos showed 66% of healthcare organizations experienced at least one ransomware attack in 2021. Sixty-one percent of those attacks ended with the attackers' encrypting data and demanding a ransom for the decryption key.

"Healthcare saw the highest increase in volume of cyberattacks (69%) as well as the complexity of cyberattacks (67%) compared to the cross-sector average of 57% and 59% respectively," Sophos said.

New Intel, New Tactics

CISA's latest cybersecurity advisory this week updates its earlier guidance on state-sponsored ransomware attacks from North Korea directed against the US healthcare and public health sector. It highlighted multiple tactics, techniques, and procedures (TTPs) that North Korean cyber actors are currently employing when executing ransomware attacks against healthcare targets. Most of the TTPs are typical of those observed with ransomware attacks and include tactics like lateral movement and asset discovery.

The advisory also highlighted several ransomware tools — and associated indicators of compromise (IoCs) — that North Korean actors have been using in attacks on healthcare organizations. Among them were privately developed variants such as Maui and H0lyGh0st and publicly available encryption tools such as BitLocker, Deadbolt, Jogsaw, and Hidden Tear.

"In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group," in an attempt to evade attribution, the advisory said.

In addition to obfuscating their involvement by operating with other affiliates and foreign third parties, North Korean actors frequently use fake domains, personas, and accounts to execute their campaigns, CISA and the others said. "DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK."

The advisory highlighted some of newer software vulnerabilities that state-backed groups in North Korea have been exploiting in their ransomware attacks. Among them were the Log4Shell vulnerability in the Apache Log4j framework (CVE-2021-44228) and multiple vulnerabilities in SonicWall appliances.

CISA's recommended mitigations against the North Korean threat included stronger authentication and access control, implementing the principle of least privilege, employing encryption and data masking to protect data at rest, and securing protected health information during collection, storage, and processing.

The advisory also urged healthcare entities to maintain isolated backups, develop an incident response plan, update operating systems and applications, and monitor remote desktop protocol (RDP) and other remote access mechanisms.