Posted on December 16, 2021 at 6:00 PM
The Oregon Anesthesiology Group has confirmed a ransomware attack that compromised its network, leading to the breach of patients’ and employees’ sensitive information.
According to the report, a Ukrainian hacking group known as HeloKitty is responsible for the hacking incident and the breach involves the information of 750,000 patients and 522 OAG employees, including former workers.
The Hackers Exploited A Bug In A Third-Party Firewall
The company, in a statement, noted that it discovered the breach after the FBI seized an account containing OAG employees and patients’ files from HelloKitty.
According to the agency, the group exploited a bug in the third-party firewall of the company’s network, allowing the threat actors to have access to the network.
The FBI added that the hackers may have stolen information when including the patient names, medical record numbers, insurance provider names, diagnosis with descriptions, dates, or services, as well as insurance ID numbers.
The Attackers Encrypted The Files After The Attack
The threat actors also potentially had access to both present and former employee data, which includes their names, social security numbers, their addresses, and other information in the W-2 forms on file.
The attack was disclosed on July 11 after the threat actors blocked OAG access to its servers, forcing them to use off-site backups to restore their systems and rebuild their IT systems from scratch. The company’s security team initially started the restoration process but had to secure the services of external cybersecurity experts for an investigation into the situation.
The OAG provided a detailed cybersecurity report last month showing that the threat actors access OAG’s encrypted data after data-mining the administrator’s credentials. The company has placed a multifactor authentication security protocol in place after replacing the affected third-party firewall.
Affected Users Should Set Up A mySocial Security Account
To assist victims, OAG is providing 12 months of credit monitoring and Experian identity protection services for a fee.
The company has also advised affected clients to be very vigilant when responding to unsolicited emails. It also asked users to participate in OAG’s IdentityWorks program, which offers up to $1 million in identity theft insurance.
Also, users whose social security numbers are compromised have been advised to set up a mySocila security account which will allow them to claim their SSN.
The HelloKitty, which has been active since last year, is known to target Windows systems while some of the variants are used to launch attacks on Linux systems.
The Group was also blamed for the notorious hack of Polish game developer CD Project Red, the developer of games like The Witcher Series and Cyberpunk 2077.
The Group Takes Advantage Of Known Vulnerabilities
While some threat actors are specialists in exploiting zero-days, the HelloKitty group generally uses known bugs in SonicWall products to launch their attacks. After gaining access to the network, they utilize publicly available tools like Powershell Mandiant’s Commando or Cobalt Strike.
The FBI also stated that the group utilized other publicly available tools like Mimikatz and Bloodhound to target the network and escalate privileges before stealing and encrypting the data. This makes it difficult for the victimized company to retrieve their data.
The Ransomware Group Use Double Extortion Technique
Some variants of the HelloKitty ransomware have also been discovered, including Vice Society and an unnamed ransomware variant.
In October, the FBI notified the public and organizations about the group, stating at the time that the group is using a double extortion technique to pressure their victims to pay a ransom.
The FBI said the threat actors usually warn the victims to respond with a specific ransom payment. If they fail to respond on time, the group launches a Distributed Denial of Service (DDoS) attack on the network of the company.
The FBI added that the ransomware group does not have a specific amount of ransom they demand as it depends on the amount of damage they can cause via a DDoS attack. So, if it’s a large organization with the risk of losing critical information, the ransom payment is usually higher.
In most cases, they demand to be paid the ransom in Bitcoin 9BTC or other cryptocurrencies to make sure no one can trade their identities. If the ransom is not paid, the hackers threaten to post the compromised data to the Babuk site or sell it on the darknet.