The world’s developed nations are almost constantly launching cyber attacks at each other, but these are usually limited to espionage campaigns and the occasional attempt to profit at the expense of private industry. These countries do a lot of poking in and rummaging around the vital services of rivals, but very rarely take the sort of concrete action that verges on crossing a clear “act of war” line. That makes the recent ransomware attack on a hospital in the Paris metro area an anomaly.
Located northwest of Paris, the Rouen University Hospital is considered one of the country’s 13 most vital medical services providers and is also a major research center. A mid-November attack left the facility crippled by ransomware, limiting it to providing vital medical services only while a team of 50 government agents worked to get systems back online.
The attack, thought to have been perpetrated by Russian “advanced persistent threat” (APT) group TA505, may have been the work of professional criminals seeking profit without any nation-state backing. However, the tacit permission given to hacking groups in countries like Russia combined with the need to cross virtual borders to deliver an active response raises serious questions about appropriateness, escalation and the fuzzy nature of international law in the cyber realm.
The ransomware attack on Rouen hospital
Occurring on Nov. 15, the attack impacted the entirety of the 2,500-bed hospital and is thought to have shut down 6,000 computers. Medical staff were forced to operate in an emergency “degraded mode” for the better part of a week, returning to the use of pen and paper and landline telephones to coordinate patient care as crews worked to restore full function to the facility. Though there were no reported fatalities as a result of the attack, patients were subject to unusually long delays in care.
Guillaume Poupard, head of French national cyber security agency ANSSI, indicated that the attacks were part of an ongoing campaign against targets in the country’s medical sector. Poupard declined to name the other targets, but indicated that French law allowed for an active response and that was something that was under consideration.
Though French officials are indicating that there is a specific campaign against targets in the country, these attacks are in keeping with a global uptick in ransomware attacks on health care targets that store medical or personal data. Hospitals represent an ideal (and utterly callous) target for these sorts of attacks in that they cannot afford even relatively short periods of downtime. Both the United States and Australia experienced a rash of ransomware attacks at hospitals in October. Three medical centers in Alabama were hit with the Ryuk ransomware early in the month, a strain infamous for disabling the Windows System Restore function and was used in a series of attacks on US newspaper companies in late 2018. In Australia, a number of medical facilities in the public health system of Victoria experienced ransomware attacks on their patient data and booking systems.
However, medical targets can be less than ideal for attackers in that they may not have the liquid resources available to make immediate ransom payments. As Poupard pointed out, “(the attackers) have not done enough research; hospitals in France have no money.” The same lack of funding that causes medical facilities to run outdated systems and get by with inadequate IT security support also renders them unable to pay to make ransomware problems go away. While attackers have managed to extort a number of hospitals around the world into making sizable payments, many that were unable to pay the ransom have simply limped along with 20th century techniques until systems could be restored.
The TA505 connection
A Forbes cybersecurity analyst reported that no ransom demand had been received, raising additional questions about the identity and motivation of the cyber criminals.
President Emmanuel Macron has previously stated in an interview with the Economist that France is in a state of “total war” on the cyber front with Russia. Russia has specifically targeted France’s infrastructure and political systems before, including a 2015 attack on all of TV5Monde’s broadcast television channels and a 2017 leak of then-candidate Macron’s emails. Both of these attacks are believed to have been conducted by GRU APT groups.
TA505 is a Russia-based group, but one that has focused specifically on financial crimes to date. The group has spent most of 2019 targeting large financial institutions around the world with their malware, signs of which were present in the ransomware attack on the French hospital. Security researchers have not discovered any particular connection between TA505 and Russian intelligence, but it is hardly unheard of for successful hacking groups to be brought into the national fold. It would certainly help to explain why a group that has always been about the most profitable attacks first and foremost suddenly has an interest in French hospitals that have limited funds, and did not even bother to ask for a ransom once their attack took root.
Regardless of whether or not this particular group is affiliated with Russian intelligence, it is an open secret that the Russian government will do very little to deter its independent cybercriminals so long as they do not create problems for the nation or its allies. ANSSI’s talk of response with active measures appears to be in keeping with the French military’s current position toward cyber incursions, though it is not clear exactly what the country would do in light of concerns about proper attribution and escalation. The country has named economic and diplomatic responses as alternative options in cases such as these.
Shades of WannaCry
The attack invites natural comparisons to the WannaCry ransomware outbreak of 2017, a worm that ravaged outdated and unpatched Windows systems and hit the UK’s National Health Service (NHS) particularly hard.
WannaCry taught these lessons organizations that bear repeating with this recent ransomware attack; ensure that computer systems are always patched, update systems that can no longer be patched and have a regular backup system in place.
Unlike the WannaCry situation, TA505’s ransomware attacks are known for their adaptability and cutting-edge techniques that require IT teams to actively keep up with them.