Who or what is DeepBlueMagic, and how did it manage to shut down the computer systems of a major Israeli hospital?
The entire network of Hillel Yaffe Medical Center in central Israel has been paralyzed after the hospital fell victim to a massive cyberattack last week.
Experts believe that a mysterious group of criminals working out of China used a new ransomware known as DeepBlueMagic to carry out the attack – the largest ever launched on the Israeli health sector.
While the attack was likely financially motivated and not state-sponsored, very little is known about the group of hackers or DeepBlueMagic, according to SentinelOne, a leading Israeli cybersecurity company that specializes in endpoint detection and response.
“It wasn’t seen before very widely in our region,” Matan Rudis, head of the Threat Intelligence Group at SentinelOne, explained to The Media Line. “Researchers attribute it to Chinese activity. It doesn’t mean that it’s a government activity of course; it could be completely criminal.”
Matan Rudis, head of the Threat Intelligence Group at SentinelOne, Oct. 19, 2021. (Maya Margit)
Ever since the attacks, Hillel Yaffe Medical Center has been unable to access patient files or update data. Experts estimate that it could take months for the hospital to get its computer systems fully back online.
Rudis believes that DeepBlueMagic will continue to make headlines.
“For many researchers, it was the first time we heard about this activity,” he said. “It has been a bit more active in the past few months so we can call it an emerging threat. It will probably get much more attention very soon.”
Earlier this week, Israel’s Health Ministry said it had noticed a dramatic increase in the number of attempted cyberattacks on the Israeli health care industry, with at least nine hospitals and organizations across the country being targeted in a matter of days.
The health sector overall has been a prime target for cybercriminals even since the start of the COVID-19 pandemic.
In fact, it suffers from twice as many attacks as any other industry.
“Hospitals are usually large organizations and the larger the organization is, the bigger the attack surface becomes,” Rudis explained. “That means that there are opportunities for the attacker to try to penetrate into the network just because it has more features in it and more services.”
At the moment, ransomware attacks are the most common type of cyber threat faced by hospitals. The goal of such attacks is first and foremost extortion: Cybercriminals infiltrate a computer system and block access to critical files and data, demanding that organizations pay a ransom to restore the system to its previous condition.
However, it is not only hospitals that are riding a wave of cybercrime.
The move to remote work environments as a result of the pandemic has created major challenges for cybersecurity across the board.
“What we’ve seen is a huge increase in cyberattacks, especially on critical infrastructure like hospitals,” Yevgeny Dibrov, CEO and co-founder of Armis Security, told The Media Line.
Armis Security, a company that protects more than one billion devices worldwide, was founded in Israel in 2015 and is currently headquartered in Palo Alto, California.
“When there is more of a remote workforce, more digital transformation and more connected [devices] in the environment – then there are more cyberattacks,” Dibrov said.
In hospitals, improperly secured medical devices are particularly vulnerable to such threats.
Also known as medical IoT (Internet-of-Things) devices, this equipment often transmits sensitive patient data and includes applications such as insulin pumps, wearable health trackers, blood glucose monitors, asthma inhalers, diagnostic machines and even pacemakers.
“If you look at an MRI machine it’s basically like a computer running [old] Windows XP, which is super vulnerable,” Dibrov affirmed. “There’s no real protection for it so attackers are looking for the weakest link.”
For his part, Matan Rudis of SentinelOne argues that health care organizations need to take greater steps to ensure that their networks – and their patients – remain safe.
“Ransomware is definitely going to be a serious threat also in the next few years,” he said. “The more we share about incidents and the activity that we see – and the insights that we have from campaigns – the better the entire security community can prepare counter-measures and prevent or minimize the risks of similar events in the future.”