Volunteer cybersecurity pros say they’ve stymied hacks against health care organizations

Written by

A volunteer group of cybersecurity professionals formed to protect computer networks during the coronavirus pandemic says it has helped dismantle nearly 3,000 malicious internet domains and identified more than a 2,000 software vulnerabilities in health care institutions around the world.

“The threats are coming in like a firehose; as fast as we can take things down, there are new [threats] there,” said Marc Rogers, who is an executive with cybersecurity company Okta and one of the founders of the volunteer group.

Known as the Cyber Threat Intelligence (CTI) League, the group’s membership has soared from a few dozen since its founding last month to some 1,400 people in 76 countries today. Security specialists from technology giants like Microsoft are members, and the group says it has formed close connections with law enforcement agencies.

Their services are in high demand as health care organizations strain to deal with COVID-19, which has killed more than 175,000 people worldwide. Spies and criminal groups have looked to exploit the pandemic, adapting their phishing and impersonation attempts to fears around the virus.

Some of the software vulnerabilities that the volunteers are finding at health care organizations have long been identified as popular with hackers. That includes a flaw in the virtual private network software Pulse Secure, which allows hackers to gain remote access to an organization’s server and steal credentials. Although disclosed last year, many private and public-sector organizations have yet to apply the software update. Last week, the U.S. Department of Homeland Security said its cybersecurity wing had seen hackers exploit the vulnerability to deploy ransomware on hospital IT systems and U.S. government agencies.

“We have seen, and are likely going to continue to see, an increase in bad guys taking advantage of the COVID-19 pandemic to target businesses, governments and individuals alike,” Chris Krebs, head of DHS’s cybersecurity division, said Tuesday, touting his agency’s work with the CTI League.

In a report released Tuesday, the CTI League also said it was scouring the dark web for stolen login credentials used at medical organizations. “A large amount of the credentials reported by CTI League volunteers was stolen from breached sites, which we see hundreds each week,” the volunteers wrote.

The group has notched some early wins in its anti-hacking efforts. Last month, it helped the U.S. Department of Health and Human Services fix a flaw in its website that redirected visitors to a data-stealing web domain.

A far more serious threat has emerged in the Czech Republic, where authorities last week warned of imminent cyberattacks on health care organizations. Since then, there have been reports of attempted cyberattacks against Czech hospitals.

A spearphishing campaign against numerous health care organizations that preceded the attacks was a cleverly crafted attempt to fool the targets, a Czech official told CyberScoop.

“The situation is very dynamic,” the official, who spoke on the condition of anonymity, said of the malicious cyber campaign. “It’s still ongoing. We’re sharing information on the threat with our partners and allies.

It remains to be seen how the CTI League can help the Czechs deal with the cyberthreat. The volunteers said they are closely monitoring the situation and trying to help where they can.

-In this Story-

Chris Krebs, CTI League, Cybersecurity and Infrastructure Security Agency (CISA), cyberthreats, Czech Republic, Department of Health and Human Services (HHS), Department of Homeland Security (DHS), domains, hackers, health care, international, law enforcement, Marc Rogers, spearphishing, vulnerabilities