HC3 Report Uncovers Key Data Exfiltration Trends in Healthcare

March 15, 2023 - Healthcare providers face a heightened risk of data exfiltration, according to a recent HHS Health Sector Cybersecurity Coordination Center (HC3) brief that delves into the various threat actors and provides practical guidance on how organizations can protect against risks.

Often considered the primary objective of advanced persistent threats (APTs), data exfiltration occurs towards the end of the cyber kill-chain. Once a threat actor gains network access and elevated privileges, they typically move laterally across the network to execute their cyberattack, which often involves unauthorized data transfer from a device.

Data exfiltration attacks are on the rise, with HC3 reporting a significant increase in incidents. Notable examples from 2022 include incidents at Nvidia and Microsoft, HC3 stated.

Healthcare organizations are bearing the brunt of data exfiltration, HC3 explained. Breach notifications revealed that 28.5 million healthcare records were exposed in H2 2022, up from 21.1 million in 2019.  Additionally, data exfiltration was a factor in at least 70 percent of ransomware incidents affecting healthcare delivery organizations, leading to a 35 percent increase in patient records in 2022.

HC3 also noted a shift in ransomware trends, with threat actors primarily focusing on data exfiltration and extortion. Specifically, there was a 20 percent increase in the number of adversaries conducting data theft and extortion campaigns. Over the past year, HC3 has observed new threat actors enter the scene, including the Donut Leaks, Karakurt, and the Lapsus$ data extortion groups.

In one example, the Karakurt data extortion group announced that it had successfully breached a Kansas-based surgical and rehabilitation allegedly acquiring 200 GB of corporate data from the victim. The group typically compresses large amounts of data, exceeding one terabyte (TB), often including entire network-connected shared drives, using open-source applications and File Transfer Protocol (FTP) services such as Filezilla and cloud storage services.

While data exfiltration is usually associated with ransomware, it is not limited to this type of attack. Information stealers, for example, are designed to steal credentials and other valuable data from a computer and can be used to gain access to further high-value data with minimal technical skill.

Toward the end of 2022, several information stealers experienced increased popularity on the dark web. Among them, Mars is noteworthy for its ability to extract data from web browsers and cryptocurrency extensions. Conversely, Raccoon targets browsers and crypto wallets, while Redline has been known to obtain passwords and session tokens. In January 2023, Vidar was distributed via over 1,300 fake AnyDesk sites. In February 2023, Stealc emerged as a new player in data stealing, offering customizable file-grabbing and loader capabilities.

In addition to the threats mentioned above, state-sponsored cyber espionage has emerged as a growing concern. These threat actors are motivated by military, economic, or political interests, and well-funded and experienced hackers target high-value organizations leveraging APTs for data collection.

In Q4 2022, Lazarus, a state-sponsored actor, targeted the medical research and technology sector, exfiltrating ~100GB of data without destructive action. SSH connections and the 'pscp' command transferred files from victim networks to the actor infrastructure.

As more organizations shift from on-premises to cloud storage, threat actors frequently target cloud resources to steal data. As research suggests, they often delete cloud backups to prevent recovery from ransomware attacks. Some threat actors have been caught employing Eamfo, a type of information-stealing malware specifically designed to steal Veeam cloud backup software credentials, HC3 mentioned.

Despite the alarming threats discussed earlier, there are available mitigations to help protect against sensitive data theft. HC3 recommends being vigilant against common insider threats, such as unusual data movement, use of unsanctioned software and hardware, increased requests for escalated privileges or permissions, access to non-essential information, renamed files where the extension does not match the content, and departing employees.

Additionally, high-level mitigations should be implemented, such as integrating security awareness and best practices, evaluating risks associated with computer, application, and data interactions, and conducting periodic security audits to ensure that best practices are followed.