Hacker News new | past | comments | ask | show | jobs | submit login
Oregon hospital shuts down computer system after ransomware attack (beckershospitalreview.com)
109 points by weinzierl 37 days ago | hide | past | favorite | 53 comments

Within the past 24 hours at least 5 ransomware attacks[0][1] happened on US hospitals.

Apart from timing, the attacks don't seem to originate from the same source (which is leading speculation about potential coordination and premature attribution - at least in my social media bubble).

"It would be the season to launch politically motivated attacks (so close to election)" is a weak argument because:

It's a war crime to attack hospitals and the risks of escalation for nation state actors are not aligned with their incentives.

Assuming it's only financially motivated (crime groups) but with coordination (because timing): Very unlikely because criminal gangs lend themselves poorly to orchestration / coordination.

A combination of political+criminal (local political actor financing crime groups)? Occam's razor cuts deep here.

Assume the human brain primed to recognize patterns is a weakness and apply Hanlon's razor. Then the "Timing" is just coincidence and cause is horrible healthcare IT.

The combination of the pandemic, a politically charged climate (elections), technical-debt in healthcare, premature cyber-attribution, could create a perfect storm.

The real lede buried among social media cyber fear-mongering: Discussion wouldn't take place if systems had been patched.

[0] https://nitter.net/uuallan/status/1321477875648942086

[1] https://nitter.net/ColdHandsMD/status/1321227783968796674

[2] https://twitter.com/whitequark/status/1321625126841032705

see also CISA advisory (pdf) https://us-cert.cisa.gov/sites/default/files/publications/AA...

> It's a war crime to attack hospitals and the risks of escalation for nation state actors are not aligned with their incentives.

The primary point of nation-state cybercrime is that individual citizens have not yet established at any large scale if they would support a physical response to a cyber attack.

If you have a physical attack political leadership can be pretty sure the people will support them in retaliating.

But with cybercrime, without big pictures on the TV of death and destruction that support does not seem to exist. Combine this with an opposing party willing to capitalize on public doubt and inaction is a political certainty.

Do all 5 attacks share some common vector? If so it could be that some zero-day or vulnerable target list has been shared within the past few days on some seedy underbelly of the darknet and a few opportunists decided to act on it?

these might be separate groups closing positions almost simultaneously after learning that they weren't first to maximize their chance of not getting bulldozed out of compromised systems by coordinated fed and/or private IT security actions in the aftermath of the initial attack.

is there a source for five attacks, other than this nitter post?

other than the post by this Threat Intel Analyst working at RecordedFuture and who has written 5 Security books and tweets under his real name? no.

this one has 3: https://www.wwnytv.com/2020/10/27/gouverneur-canton-potsdam-...

this is 1x https://www.beckershospitalreview.com/cybersecurity/oregon-h...

Reuters says dozens: https://mobile.reuters.com/article/amp/idUSKBN27E0EP

note/edit: nitter is just a shadow platform for twitter that removes tracking and useless javascript bloat. (it seems HN doesn't like it because any submissions pointing to nitter can not be engaged with. but nitter is more user-friendly and privacy respecting than twitter though. no need for a subscription and no errors when visiting links as common on twitter)

> It's a war crime to attack hospitals

Bombing an hospital is a war crime. Letting some malware find it's way into misconfigured Microsoft computers is not.

> Letting some malware find it's way into misconfigured Microsoft computers is not

I believe it is. And if a nation were found to be attacking or knowingly permitting the attack of American hospitals in the midst of a pandemic, a physical strike against their military assets (though not personnel) would be proportional.

But this has to be made clear ex ante, which it hasn’t been.

> a physical strike against their military assets though not personnel would be proportional.

What if that other country has nuclear weapons? Would WWIII start with cyber attacks first?

> What if that other country has nuclear weapons?

This is a solved problem. Nuclear powers routinely skirmish, usually through proxies.

Other non-violent but serious responses include closing consulates, enacting sanctions and increasing military deployments close to the enemy’s border.

It's not a 'solved problem'.

If the Iranians were behind a cyberattack on hospitals, they may or may not bet a bombing run.

But if the Russians were behind it, there's not telling what would happen.

Probably sanctions and maybe even specific sanctions against specific individuals.

Well, you might ask that of the attacking country yourself

But apparently they know that people are hesitant in retaliating

As I have said before, paying ransoms and not retaliating is a good way to keep being attacked and asked for even more ransoms

Careful with this. This is not a black and white issue. Or should we go to the 90s where you could be fined because you "hacked" a MS webserver by typing ".." in the URL bar and the webserver dutifully responded by showing you dir contents _outside_ the web root? Something which you could do almost by accident with a poorly managed copy & paste.

There's not that clear balance between "the door was locked and I broke in" and "you were not even trying to secure this", and I would bet that most of these hospitals tilt to the later (MUMPS comes to mind), up to the point you can cause great havoc just by accident. So I would definitely argue against any absolute "everything is a malware attack" classification.

I would totally agree with you in case of criminal organization (though considering the potential damage the prosecution should be more severe). But in case of government-organized attack on hospitals in another country, it would be in the spirit of that international law to treat is the same, because the motive and impact are similar.

At the very least country doing this should be isolated.

>Letting some malware find it's way into misconfigured Microsoft computers is not.

Especially more recently, ransomware gangs have been deliberately targeting specific organizations. It's not necessarily just a matter of malware spreading rampantly and it happening to land on a hospital system before encrypting all their shares automatically.

I'm sure that still occurs, but a lot of them are now picking organizations ahead of time and doing more sophisticated, hand-tailored things to try to get in and encrypt as many files across the network as possible, then explicitly setting and negotiating a hefty ransom based on what they think the organization is able to pay.

if the only difference is that the building is still standing, does it matter? an empty hospital is as functional as the parking lot next to it, perhaps less so.

Many doors in a hospital are unlocked, but lead to spaces that are not for the public. Does that mean you are entitled to go in the doors that are unlocked, but not for the general public, then tear the place up and take a massive shit on the floor?

These pieces of shit need to leave hospitals alone. We already had one dead connected to a ransomware attack on a hospital[1].

I hope they get caught and prosecuted.

[1]: https://news.ycombinator.com/item?id=24513820

On the Risky business podcast, they've been advocating for 'releasing the hounds'. That is, let the intelligence agencies and military cyber capabilities loose on these criminals.

This shit is enough of an impact on national security to justify this imho, even though it is 'merely' criminal activity.

Yeah, why not waste all those zero days on posturing, great idea!

If security costs money, and you get paid to make money, then security is not important until it's too late. I've seen my share of "security" executives for whom actual security leadership consisted of dogs and ponies and lots of hand waving which was cheap and made them popular with the other execs. It's like being a general with no war around; then when you get a real war you find out the general has no clue how to fight a war.

Hopefully they will make the fundamental connection: "backdoors for the government are backdoors for everybody else too".

I don't think they will.

Today we learn that basic Computer Security practices aren't a joke.

Just like washing your hands, patching your software and checking occasionally to make sure it's not doing something stupid is, in fact, critically important.

Don't we learn that almost every day? No, we are not learning.

Whether or not it is correct by definition, ransomware attacks aimed at healthcare institutes should be labelled 'cyber terrorism' to create the right mental picture in the head of the general public.

OK, but then not patching your shit, having root/root as your db password, exposing data to the internet that does not need to be exposed and collecting data that does not need to be collected also has to be treated like a crime.

We called it "computer virus" for a reason. This stuff is just part of the environment. We yell at people for not vaccinating, we condemn people who are not wearing mask and follow social distancing protocols.

Also, if we call this cyber terrorism, we also have to call the NSA and similar terrorist organisations and shut them down: they find vulnerabilities and keep them secret to use them themselves, and they buy exploits, funnelling money into the black market. Just imagines: a hospital shuts down after being hit by an exploit, that was developed with NSA money and they didn't tell the public about.

In some cases they should, but the chain of responsibility does not end with the technical staff.

Technical staff needs resources from management and may own/inherit a well-organized network or a complete clusterf*ck depending on the organization.

Management deploys resources to a level to not annoy owners / investors. This level is influenced by external forces, like regulation.

So regulators need to step their game way up, but are also time & resource-constrained. How do regulators pull the needed resources? Tax money.

How to justify tax money? Have a public that is informed of the danger and criticality of having hospitals operated in the way they are right now.

This is of course a big simplification, but the chain goes much further than just "IT that doesn't patch."

Obviously management and lawmakers have responsibility! As an IT person, get a paper trail to prove you warned them! Also consider refusing their orders if it literally puts lives at risk!

Nobody can claim not to know about the problem.

I'm sure it will be called "cyber preparedness", just as biological warfare was dubbed "biopreparat" by the USSR...

I was just wondering the same thing

How is it possible that in the time where filesystems with history exist (btrfs, I think ZFS?), this kind of attacks are still possible? It is just software... I would assume it would take OS vendors waaaay less money to implement foolproof protection against such attacks than it takes the victims to pay for data restoration.

Sure, storage use would go up, but is this even a problem? I would assume most files are write-once, and there could be sensible exceptions made for the files that update frequently.

Usually the infected computers are running Windows, which doesn't have full filesystem snapshot capability.

Storage servers/SANs will have snapshot capability but it takes a long time to roll back and bring things back up. Also, a lot of companies don't plan for the fact that restoring that snapshot effectively doubles the required amount of storage.

I've heard of storage vendors sending huge amounts of new shelves of disk to customers so they have enough space to expand their snapshots.

Let's not put undue blame on Windows here. Not only it is factually incorrect (Windows System Restore has been around for ages, and File History is on by default on recent versions), Windows nags users to set up backup to an external storage, which, for example, Ubuntu does not even suggest.

Windows restore doesn't help if your entire data store is encrypted and the OS is offline.

I don't see how this is different from any other filesystem.

I hope the scummy criminals behind this get their dues one day. This is horrible

The only good thing from this is that hospitals are waking up to the dangers of having weak digital security. Sadly this is the only way of having people invest more in security...

Unfortunately, so many of the effected hospitals and health practitioners don't really understand the implications of a ransomware attack, the correct public disclosure process, or how to improve their security afterwards. Many hospitals hire a "cyber security expert" to upgrade their system and end up paying a small fortune. There's a budding hospital cyber sales industry more than happy to fleece these institutions.

They understand fully well, and in fact purposefully do nothing. They've had over a decade of warning and similar incidents. Like all overpaid consultants, they exist as scapegoats for executives who make decisions with sub-optimal results.

I remember having a conversation with someone who worked in Health Cyber Security a few years ago.

They pointed out their MRI machine depended on an Windows Server 2K3 machine, which they didn't patch, networked on the corporate network (to access/transmit results). I asked why they couldn't patch or upgrade it, to which they responded:

> "Every time we change patch or change the software configuration we need to have it re-certified before we can use it on a patient, and that takes months and $10,000's"

I really hope we'll see some movement in the health security space, maybe leveraging SDN/Micro-segmentation or Identity-Aware-Proxy software like Hashicorp Boundary, but these aren't (really) zero-cost and add friction/delays to accessing the information you need about your patient... Time will tell.

I recently heard a similarly scary story about a German hospital. They are still running some machines for patient data management on XP since funding for that software stopped long ago. What's especially funny is how the software is .NET based so you'd think it's less likely to break on a Windows update....

And I can't really agree with everyone solely blaming the attackers. Bad people exist. You don't leave your front door wide open when you leave your house either and then act all surprised if you get robbed. I don't really let "don't blame the victim" count here. A malware attack is not like a natural disaster that just happens. Don't build your house on quicksand.

Maybe it's actually good this happens now and that it's "just" ransomware. Because maybe it raises awareness and leads to better security. Next time it might be a coordinated attack by a state actor that doesn't just have money on their mind.

They have the money and the resources to lobby whoever genius orgs came out with these rules to come up with better ones.

Sounds like a job for kubernetes

I've done my fair share of dealing with IT in hospitals and the single biggest source of "none compliancy" I came across was based on the ridicules power doctors yield.

They're still treat like Demi G-ds and can and do demand password-less access since they can not be bothered with anything that is not billable, err, in the patient's best interest.

The amount of unpatched crappola, the self bought software, of alternative inbound connectivity and hugely expensive machines from well known vendors without even the slightest form of IT security is mind boggling.

Add to that the horrendous state of "digital health" which is in its core based on standards like HL7, makes me 100& sure that what we are seeing now it just the humble beginnings.

For what it's worth it could all be state sponsored.

InsurTechnix's founders experienced the effects of cyber attacks on multiple hospitals at our previous start up. That's one of the reasons we founded InsurTechnix.

Here's an introduction to our ransomware report: https://youtu.be/2yDqp34JN9k

If any hospital CISO and/or IT admin would like a three month free trial - even just to get over the current attacks - please reach out.

The hospital is still moving forward with scheduled procedures, although those requiring imaging services may be delayed, according to a Herald and News report.

Misleading title

EDIT: turns out lack of sleep is bad, mmmkay? Misread the title.

Perhaps you misread the title?

It says, "Oregon hospital shuts down computer system", not "Oregon hospital shuts down", so the title is not at odds with the content.

It depends whether you implicitly put "the" or "a" in between "down" and "computer".

Yes, my fault. I blame it on my lack of sleep and already shite morning.

China Phase 2..

I foresee see blitz build up of troops within the next week in eastern Fujian.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact