Fraud Management & Cybercrime , Healthcare , Industry Specific

Feds Warn Health Sector of TimisoaraHackerTeam Threats

HHS Says 'Obscure' Group Has Resurfaced, Hitting a Cancer Center
Feds Warn Health Sector of TimisoaraHackerTeam Threats

Federal authorities are warning the healthcare sector of an apparent resurgence of TimisoaraHackerTeam threats after a recent attack by the "obscure" ransomware group on a U.S. cancer center.

See Also: OnDemand | Overcoming the Limitations of Addressing Insider Threat in Banking: Real Solutions for Real Security Challenges

The Department of Health and Human Services does not identify the U.S. cancer center that THT allegedly victimized this month, but says the attack "significantly reduced patient treatment capability, rendered digital services unavailable and also threated exposure of patient protected health information and personally identifiable information."

The TimisoaraHackerTeam, or THT, is a "relatively unknown" threat actor that was discovered by security researchers in 2018 and has previously attacked healthcare sector entities globally, warns the alert issued Friday.

"Little is known about the obscure group of hackers, but when its ransomware is deployed, their rarely used and effective technique of encrypting data in a target environment has paralyzed the healthcare and public health sector," the alert says.

THT's source code appears to be produced by Romanian speakers, and the group's name comes from Timisoara, a Romanian town, HHS said. Like most ransomware groups, THT appears to be financial motivated, often demanding ransoms in bitcoin to decrypt encrypted servers.

Security experts warn that ransomware attacks in clinical settings have negative outcomes for patient health. A September 2021 alert by the Cybersecurity and Infrastructure Security Agency links cyberattacks to increased patient mortality.

"Rather than use custom-built tools to encrypt the files of victims like many ransomware groups, THT's characteristic tactic of abusing legitimate tools like Microsoft BitLocker and Jetico's BestCrypt makes them unique among threat actors," HHS wrote.

THT's use of those "living off the land" tools - including BitLocker and BestCrypt - makes detection more difficult.

The group's methods suggest possible connections with other threat actors such as DeepBlueMagic and various Chinese hackers, including APT41, fueling speculation of an ongoing relationship, HHS wrote.

DeepBlueMagic was implicated in an attack against Israeli government-owned Hillel Yaffa Medical Center, in 2021 that came amid a wave of cyber assaults targeting Israeli healthcare entities (see: More Attempted Cyberattacks on Israeli Healthcare Entities).

An attack on a French hospital in 2021 was loosely attributed to THT, based on the group's previous use of BestCrypt and BitLocker and other TTPs also used in that incident.

THT attacks appear to be carried out by taking advantage of "poorly protected remote desktop access and targeted medium to large servers," HHS said. The group is known to use various exploits to gain access into a victim's network, including CVEs against vulnerable VPNs, HHS said.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.