After finance cyber threat actors turning to healthcare
Financial data, such as payment card information, has many established markets. The going price for a single record of information, full package of an individual’s identifying information, with names, social security numbers, birth dates, and account numbers — ranges between $14 to more than $25 per record. Less established sellers have low introductory prices. Intel Security has recently seen around $20 per record for small-scale purchases.
Wholesale prices can be even lower, as low as $3 per card sold in bulk. Medical records, on the other hand, appear to be highly variable and range from a fraction of a cent to $2.42 per record. This price is a significantly lower than individual payment card prices but only slightly less than wholesale card prices.
Do these prices mean medical data is not worth as much as financial data? Perhaps, but the markets are different. Some sellers have taken advantage of parallel markets to increase their profits. On the underground market forum AlphaBay, the user Oldgollum sold 40,000 medical records for $500 but specifically removed the financial data, which was sold separately.
Oldgollum is essentially double-dipping to get the most from both markets. Financial data can also be sold in individual records or in bulk. Medical data appears to be sold only in bulk at this time, which reduces the per-record price to something near the wholesale prices of cards. Certainly, medical data adds value to the transaction. The sellers aim to ensure they extract maximum profit from both markets and do not expect to sell at a premium to either side.
Financial data is not the only type of data Intel Security can use to compare market dynamics. Take, for example, two recent social media account dumps, both selling in bulk between 65 million and 167 million accounts, but also gaining only fractions of a penny per record. Even more recent leaks involving Bitcoin forums have similar per-record pricing. Our findings on medical data exceed this amount but do not yet sell at the rate of established markets such as payment cards.
The stolen medical data still appears to be taking shape, but the current ecosystem already has a higher per-record value than in markets of non-financial account data. Is medical data worth more? It seems to be worth something between traditional database dumps and payment card data. If the medical data contains financial data, it appears to be more profitable to sell them separately rather than together.
When McAfee Labs published the research report Cybercrime Exposed, the concept of cybercrime-as-a-service was a relatively new idea. The fact that components of a cyberattack can be outsourced was not commonly known. Today this is old news, with cybercrime-as-a-service a very well publicised business model. This business model applies equally to the health care sector.
Intel Security can see cybercrime-as-a-service operating in the health care sector, with evidence that vulnerabilities are being sold and organisations are being compromised as a service. To put this in perspective, a non–technical cyber thief buys tools to exploit a vulnerable organisation, uses them with a little free technical support, and then extracts 1,000 records that could net him £12,000, about $15,564.
Cybercriminals today require little technical knowledge, only the means to pay for help from someone with the requisite experience. In fact, there are a multitude of sellers offering stolen data to buyers who do not need to get involved with direct attacks on organisations. Buyers of stolen data may have other motives, but from breach to resale of stolen data, the motivation of these attackers is clearly financial. Although personal or sensitive data has value, it is likely that intellectual property or other types of medical-related data has higher value.
Holding health care organisations ransom or targeting them for theft of personal data is a relatively recent phenomenon. Targeting biotechnology and pharmaceutical firms for theft of intellectual property appears to be considerably older. Early cases go as far back as 2008, with reports that data sought included drug trial information, chemical formulas, and confidential data for all drugs sold in the US market. Clearly, the economic value of such information is considerably higher than the cents-per-record market this and other reports have identified.
Opportunities like this apparently justify the cost of a cyber theft operation that employs hundreds of people and makes use of at least 1,000 servers. Such attacks have not entirely focused on private sector firms. For example, the US Food and Drug Administration has been among the most targeted agencies because of its role as the starting point for bringing new products to market.
To understand the scale of the attempted intrusions, a Freedom of Information Act request found 1,036 incidents had been reported between 2013 and 2015. Of those, half involved illegitimate, unauthorised access into Food and Drug Administration computers. Another 21% were classified as probes or scans, similar to phishing, and 19% were malware intrusions.
Malware appears to be a common attack vector in attempts to compromise biotech and pharma networks, but in other cases malicious insiders have been employed to extract data for gain. In one case, for example, the cyber thief intended to use the information to launch its own competitor companies.
The use of malware was discussed in a Form 8-K submission by Community Health Systems to the US Securities and Exchange Commission. They reported that sophisticated malware attacked the company’s system. The submission noted that the attacker sought valuable intellectual property, such as medical device and equipment development data. The forensic team in charge of the investigation reported, this group typically targets companies in the aerospace and defense, construction and engineering, technology, financial services, and healthcare industry verticals.
In most cases, spear phishing is the precursor to infection, as was demonstrated in an attack against the National Research Council. In this example, the attack began with the collection of valid email addresses for research council employees, according to a study conducted by the Canadian Cyber Incident Response Centre. The attack was followed by the installation of malware after the recipients clicked on malicious links.
Despite its simplicity, spear phishing appears to be a recurring theme even when the objective is the theft of intellectual property, trade secrets, and other sensitive or proprietary information.
Research continues into health care attacks whose aim is intellectual property theft. There is no doubt that pharmaceutical and biotech firms must remain vigilant because their most valued assets are in the spotlight of determined threat actors.
The examples of a hidden data economy for stolen medical data represents only the tip of an iceberg. However, cybercrime is merely an evolution of traditional crime.
When it comes to medical data, the ability to recover our information is considerably harder than with other data. When retail store Target was breached in 2013, victims had their compromised cards cancelled and new payment cards reissued. This limited the damage to individuals because the cards flooded the underground market and were quickly offered for sale. For medical data, and personal information, the recovery strategy is not quite as simple.
One troublesome issue with this topic is the lack of evidence pointing to the motivation behind the acquisition of stolen medical data. With payment card information, it has been documented that stolen card numbers are used to conduct fraud against the victims. In the course investigations Intel Security, has identified where specific data is sought to verify the addresses of the victims. At present, specific uses for bulk data purchases of medical data have not been identified.
Raj Samani is Vice President and Chief Technology Officer of Intel Security for Europe, Middle East, Africa. Excerpted from Intel Security report titled Health Warning, cyberattacks are targeting the health care industry.