- The U.S. Health and Human Services Department was the victim of a cyberattack Sunday night, reports Bloomberg.
- The intent of the attack was to slow systems, though it was unsuccessful "in a meaningful way," according to the report. No data was compromised.
- The agency's cyberattack was the result of "multiple incidents of hacking," according to a tweet from journalist Jennifer Jacobs and co-author of the Bloomberg report. While the perpetrator hasn't been identified, officials believe it was orchestrated by nation-state actors.
Agencies are already taxed dealing with response to the coronavirus. A cyberattack only heightens the complications.
Healthcare organizations' cybersecurity has been in "critical condition" for a long time. Outdated systems and infrastructure inhibit threat prediction and analysis. Though HHS took steps to mitigate the impact of cyber events, such as breaches, some of its guidelines were only voluntary. The guidelines were outlined for organizations across the healthcare industry, from local clinics to large hospitals.
Malicious actors often respond to crises with misinformation campaigns or phishing schemes, according to research from Recorded Future.
Hackers are also leveraging public-facing resources as a tool to spread malware. Attackers exploited Johns Hopkins' coronavirus data map, which showcases real-time infection rates, reports cybersecurity journalist Brian Krebs.
Russian cybercrime forums were found selling a "digital coronavirus infestation kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme," according to Krebs. If the buyer already has a Java code signing certificate, the kit costs $200.
Legislation regarding cyberattacks and international law are insufficient, leaving nation-state cyberattacks left unattended to. Without consequences, hostile foreign actors will continue to target U.S. systems.
Last week the Cyberspace Solarium Commission released its 200-page report offering recommendations for shoring up U.S. cybersecurity, including retaliation. "The existing declaratory policy does not sufficiently communicate resolve or articulate a compelling logic of consequences," according to the report.
The commission wants the U.S. to "publicly convey" its ability to respond to cyberattacks and "impose costs against adversary cyber campaigns below a use-of-force threshold."