Health and Human Services Organization Discloses Ransomware Attack and Breach from Early 2022
On January 5, 2023, Maternal & Family Health Services (MFHS) disclosed that a ransomware attack occurred on April 4, 2022, and unauthorized actors had access to their systems prior to the attack, specifically since August 21, 2021. MFHS is a private non-profit health and human services organization that serves Northeast Pennsylvania. The organization confirmed that breach notification letters began being sent to those potentially impacted, including former and current employees, patients, and vendors, on January 3, 2023. The information that may have been compromised during the ransomware attack includes, but is potentially not limited to, names, addresses, dates of birth, driver's license numbers, Social Security numbers (SSNs), financial account and payment card data, usernames, passwords, medical information and/or health insurance information. MFHS currently has no evidence that the compromised data has been misused and a ransomware group has yet to be attributed to the April 2022 attack. CTIX analysts will continue to monitor for advancements and update accordingly.
Threat Actor Activity
Cold River Threat Actors Target United States Nuclear Research Labs
Recent research has revealed that Russian threat actors targeted several United States nuclear research laboratories in late summer 2022. The threat actors are tied to the Cold River (Callisto, TAG-53) organization, a Russian state-sponsored group known to commonly conduct cyberespionage operations. It is believed that affiliations between the threat group and the Russian state surfaced when data trails led back to an IT employee in Syktyvkar named Andrey Korinets. Several email addresses tied to Korinets were used in connection with Cold River operations between 2015 and 2020 alongside discussions on several Russian dark web forums. Between August and September of 2022, Cold River launched a social engineering campaign targeting nuclear scientists with fake login portals in an attempt to steal credentials. Specifically, threat actors mimicked copies of the Argonne, Brookhaven, and Livermore National Laboratories login pages and distributed them in their phishing emails. It has not been determined if any further compromise has occurred from this campaign or why these facilities were specifically targeted. Recent activity from the group shows that Cold River registered several domain names imitating non-governmental organizations investigating war crimes in the Russia/Ukraine conflict. CTIX will continue to monitor for any fallout from these campaigns and provide additional updates accordingly.
Okta Autho Patches Critical RCE Vulnerability Impacting a Very Prolific Open-Source Library
- Bleeping Computer: CVE-2022-23529 Article
- Dark Reading: CVE-2022-23529 Article
- GitHub: CVE-2022-23529 Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (email@example.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.