Apart from timing, the attacks don't seem to originate from the same source (which is leading speculation about potential coordination and premature attribution - at least in my social media bubble).
"It would be the season to launch politically motivated attacks (so close to election)" is a weak argument because:
It's a war crime to attack hospitals and the risks of escalation for nation state actors are not aligned with their incentives.
Assuming it's only financially motivated (crime groups) but with coordination (because timing): Very unlikely because criminal gangs lend themselves poorly to orchestration / coordination.
A combination of political+criminal (local political actor financing crime groups)? Occam's razor cuts deep here.
Assume the human brain primed to recognize patterns is a weakness and apply Hanlon's razor. Then the "Timing" is just coincidence and cause is horrible healthcare IT.
The combination of the pandemic, a politically charged climate (elections), technical-debt in healthcare, premature cyber-attribution, could create a perfect storm.
The real lede buried among social media cyber fear-mongering: Discussion wouldn't take place if systems had been patched.
see also CISA advisory (pdf) https://us-cert.cisa.gov/sites/default/files/publications/AA...
The primary point of nation-state cybercrime is that individual citizens have not yet established at any large scale if they would support a physical response to a cyber attack.
If you have a physical attack political leadership can be pretty sure the people will support them in retaliating.
But with cybercrime, without big pictures on the TV of death and destruction that support does not seem to exist. Combine this with an opposing party willing to capitalize on public doubt and inaction is a political certainty.
this one has 3: https://www.wwnytv.com/2020/10/27/gouverneur-canton-potsdam-...
this is 1x https://www.beckershospitalreview.com/cybersecurity/oregon-h...
Reuters says dozens: https://mobile.reuters.com/article/amp/idUSKBN27E0EP
Bombing an hospital is a war crime. Letting some malware find it's way into misconfigured Microsoft computers is not.
I believe it is. And if a nation were found to be attacking or knowingly permitting the attack of American hospitals in the midst of a pandemic, a physical strike against their military assets (though not personnel) would be proportional.
But this has to be made clear ex ante, which it hasn’t been.
What if that other country has nuclear weapons? Would WWIII start with cyber attacks first?
This is a solved problem. Nuclear powers routinely skirmish, usually through proxies.
Other non-violent but serious responses include closing consulates, enacting sanctions and increasing military deployments close to the enemy’s border.
If the Iranians were behind a cyberattack on hospitals, they may or may not bet a bombing run.
But if the Russians were behind it, there's not telling what would happen.
Probably sanctions and maybe even specific sanctions against specific individuals.
But apparently they know that people are hesitant in retaliating
As I have said before, paying ransoms and not retaliating is a good way to keep being attacked and asked for even more ransoms
There's not that clear balance between "the door was locked and I broke in" and "you were not even trying to secure this", and I would bet that most of these hospitals tilt to the later (MUMPS comes to mind), up to the point you can cause great havoc just by accident. So I would definitely argue against any absolute "everything is a malware attack" classification.
At the very least country doing this should be isolated.
Especially more recently, ransomware gangs have been deliberately targeting specific organizations. It's not necessarily just a matter of malware spreading rampantly and it happening to land on a hospital system before encrypting all their shares automatically.
I'm sure that still occurs, but a lot of them are now picking organizations ahead of time and doing more sophisticated, hand-tailored things to try to get in and encrypt as many files across the network as possible, then explicitly setting and negotiating a hefty ransom based on what they think the organization is able to pay.
I hope they get caught and prosecuted.
This shit is enough of an impact on national security to justify this imho, even though it is 'merely' criminal activity.
I don't think they will.
Just like washing your hands, patching your software and checking occasionally to make sure it's not doing something stupid is, in fact, critically important.
We called it "computer virus" for a reason. This stuff is just part of the environment. We yell at people for not vaccinating, we condemn people who are not wearing mask and follow social distancing protocols.
Also, if we call this cyber terrorism, we also have to call the NSA and similar terrorist organisations and shut them down: they find vulnerabilities and keep them secret to use them themselves, and they buy exploits, funnelling money into the black market. Just imagines: a hospital shuts down after being hit by an exploit, that was developed with NSA money and they didn't tell the public about.
Technical staff needs resources from management and may own/inherit a well-organized network or a complete clusterf*ck depending on the organization.
Management deploys resources to a level to not annoy owners / investors. This level is influenced by external forces, like regulation.
So regulators need to step their game way up, but are also time & resource-constrained. How do regulators pull the needed resources? Tax money.
How to justify tax money? Have a public that is informed of the danger and criticality of having hospitals operated in the way they are right now.
This is of course a big simplification, but the chain goes much further than just "IT that doesn't patch."
Nobody can claim not to know about the problem.
Sure, storage use would go up, but is this even a problem? I would assume most files are write-once, and there could be sensible exceptions made for the files that update frequently.
Storage servers/SANs will have snapshot capability but it takes a long time to roll back and bring things back up. Also, a lot of companies don't plan for the fact that restoring that snapshot effectively doubles the required amount of storage.
I've heard of storage vendors sending huge amounts of new shelves of disk to customers so they have enough space to expand their snapshots.
They pointed out their MRI machine depended on an Windows Server 2K3 machine, which they didn't patch, networked on the corporate network (to access/transmit results). I asked why they couldn't patch or upgrade it, to which they responded:
> "Every time we change patch or change the software configuration we need to have it re-certified before we can use it on a patient, and that takes months and $10,000's"
I really hope we'll see some movement in the health security space, maybe leveraging SDN/Micro-segmentation or Identity-Aware-Proxy software like Hashicorp Boundary, but these aren't (really) zero-cost and add friction/delays to accessing the information you need about your patient... Time will tell.
And I can't really agree with everyone solely blaming the attackers. Bad people exist. You don't leave your front door wide open when you leave your house either and then act all surprised if you get robbed. I don't really let "don't blame the victim" count here. A malware attack is not like a natural disaster that just happens. Don't build your house on quicksand.
Maybe it's actually good this happens now and that it's "just" ransomware. Because maybe it raises awareness and leads to better security. Next time it might be a coordinated attack by a state actor that doesn't just have money on their mind.
They're still treat like Demi G-ds and can and do demand password-less access since they can not be bothered with anything that is not billable, err, in the patient's best interest.
The amount of unpatched crappola, the self bought software, of alternative inbound connectivity and hugely expensive machines from well known vendors without even the slightest form of IT security is mind boggling.
Add to that the horrendous state of "digital health" which is in its core based on standards like HL7, makes me 100& sure that what we are seeing now it just the humble beginnings.
Here's an introduction to our ransomware report: https://youtu.be/2yDqp34JN9k
If any hospital CISO and/or IT admin would like a three month free trial - even just to get over the current attacks - please reach out.
EDIT: turns out lack of sleep is bad, mmmkay? Misread the title.
It says, "Oregon hospital shuts down computer system", not "Oregon hospital shuts down", so the title is not at odds with the content.