New TimisoaraHackerTeam Ransomware Group and Closure of Rural Illinois Hospital Due to Ransomware Attack

TimisoaraHackerTeam Ransomware Group Connected to New Attack on U.S. Cancer Center

There is an alert concerning a somewhat unknown threat group referred to as TimisoaraHackerTeam after a new attack on a U.S. healthcare center. TimisoaraHackerTeam is thought to be a financially driven threat group, which as opposed to several cybercriminal and ransomware groups, is without qualms around targeting the healthcare and public health (HPH) sector and seems to actively attack HPH industry companies, primarily doing attacks on big companies. The group was initially recognized in July 2018 yet has mostly remained unnoticed.

Based on the Healthcare Sector Cybersecurity Coordination Center (HC3), which released the advisory on June 16, the group has reappeared and done a ransomware attack in June 2023 on a U.S. cancer facility which made its digital services inaccessible, placed the protected health information (PHI) of patients at stake, and considerably minimized the capability of the hospital to offer patient treatments.

The group has taken advantage of identified vulnerabilities to achieve preliminary access to HPH industry systems, then escalates privileges, moves side to side and encrypts data files. The threat group utilizes the native disk encryption tool of Microsoft, BitLocker, together with Jetico’s BestCrypt, instead of custom ransomware. This enables the group to encrypt data files without being discovered by security programs. Prior attacks that were loosely related to TimisoaraHackerTeam consist of an April 2021 attack on a French hospital which included the same living-off-the-land strategies, and an assault on Hillel Yaffe Medical Center located in Israel, which led to the termination of non-elective treatments and compelled the hospital to turn to other systems to carry on to offer patient care.

Based on the cybersecurity company Varonis, the cyberattack on Hillel Yaffe Medical Center in Israel is believed to have included the exploitation of an identified and unpatched vulnerability present in the Pulse Secure VPN. Then, the hackers used living-off-the-land strategies for the subsequent phases of the attack to avoid security tools. Varonis states information on attacks done by TimisoaraHackerTeam generally dates to 2018, and although it’s possible that the group has re-appeared, the DeepBlueMagic threat group could be a development of TimisoaraHackerTeam or DeepBlueMagic could have just used a similar strategy as TimisoaraHackerTeam. Identical techniques were likewise used by hackers in China, with those attacks ascribed to an Advanced Persistent Threat Group that is monitored as APT41, even so it is still not clear to what degree, if any, these threat actors are connected.

Besides exploiting Pulse Secure VPN vulnerabilities, TimisoaraHackerTeam has taken advantage of vulnerabilities in Microsoft Exchange Server and Fortinet firewalls and employs improperly set up Remote Desktop Protocol to go laterally inside networks. The latest attack on the cancer facility gives a caution that the group continues to be active, and that system defenders ought to do something to enhance tracking and secure their systems from attacks. More information on the group and its strategies, methods, and processes are available in the HC3 HPH Sector Cybersecurity Notification.

Ransomware Attack Led to Rural Illinois Hospital Closure

Ransomware attacks could bring about the temporary closure of healthcare facilities. Small healthcare providers have decided not to reopen right after a ransomware attack. Hospitals and health systems, on the other hand, are generally financially tough enough to deal with the attacks and recover. But St. Margaret’s Health is not so. Just like a lot of health systems and rural hospitals, St. Margaret’s Health is having difficulties maintaining operations when confronted with escalating financial demands, then fell victim to a ransomware attack that led it to spin out of control. The attack, along with a number of other factors, contributed to the decision to once and for all close its 44-bed Spring Valley facility in Illinois. St Margaret’s Health likewise manages a 49-bed hospital located in Peru, IL, which was under a brief suspension that was reported this January 2023. All operations will be shut down at these hospitals completely on June 16, 2023.

Just like a lot of rural hospitals, St. Margaret’s Health has encountered growing financial difficulties lately, the COVID-19 pandemic, continuous personnel shortages, as well as the ransomware attack on St. Margaret’s Hospital – Spring Valley in February 2021. These occurrences made it impossible to retain its ministry. The ransomware attack on its own did not bring about the shutdown, however, it did have a crucial role in the choice to shut down. The ransomware attack stopped the hospital from filing claims to insurance companies, Medicaid, and Medicare for several months, adding further financial strain on the already grappling St. Margaret’s Health.

SMP Health chair Suzanne Stahl stated St. Margaret’s Health has affixed her signature to a non-binding letter of intent together with OSF Healthcare to get the Peru grounds and pertinent ambulatory services, and the profits of the sale is going to be utilized to cover a part of St. Margaret’s financial obligations and will help to make sure that catholic-dependent healthcare will carry on to be given in the Illinois valley and nearby places. The change will require some time, and although OSF Healthcare is trying to complete the purchase fast, it can’t give a time period for when treatment will be offered. The hospital closure will have a substantial effect on the community’s well-being. This is going to be a difficult change for a lot of locals who depend on the hospital for good quality healthcare. The shutdown will mean that people will be obligated to take farther trips for emergency room and obstetrics assistance.

Persistent pressures on rural hospitals led to the closures of 136 rural hospitals from 2010 to 2021, as per a 2022 American Hospital Association report. 2020 alone had 19 closures. Rural hospitals commonly have low repayment, personnel shortages, and low patient numbers, and likewise must handle the COVID-19 pandemic. Cyberattacks are plenty enough to make them out of control.

Sadly, this is not yet the last ransomware attack that is a lot to take for a rural hospital. Greater financial strain restricts the capability of rural hospitals to spend on cybersecurity and they likewise have difficulties bringing in and keeping skilled cybersecurity personnel. That makes rural hospitals a quick target for ransomware groups, which are more and more attacking these healthcare services. Even if rural hospitals aren’t particularly targeted, they could still become victims of non-targeted attacks because of the insufficiency of proper cybersecurity.

About Christine Garcia 1192 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA