HHS Says ‘Obscure’ Group Has Resurfaced, Hitting a Cancer Center
Federal authorities are warning the healthcare sector of an apparent resurgence of TimisoaraHackerTeam threats after a recent attack by the “obscure” ransomware group on a U.S. cancer center.
The Department of Health and Human Services does not identify the U.S. cancer center that THT allegedly victimized this month, but says the attack “significantly reduced patient treatment capability, rendered digital services unavailable and also threated exposure of patient protected health information and personally identifiable information.”
The TimisoaraHackerTeam, or THT, is a “relatively unknown” threat actor that was discovered by security researchers in 2018 and has previously attacked healthcare sector entities globally, warns the alert issued Friday.
“Little is known about the obscure group of hackers, but when its ransomware is deployed, their rarely used and effective technique of encrypting data in a target environment has paralyzed the healthcare and public health sector,” the alert says.
THT’s source code appears to be produced by Romanian speakers, and the group’s name comes from Timisoara, a Romanian town, HHS said. Like most ransomware groups, THT appears to be financial motivated, often demanding ransoms in bitcoin to decrypt encrypted servers.
Security experts warn that ransomware attacks in clinical settings have negative outcomes for patient health. A September 2021 alert by the Cybersecurity and Infrastructure Security Agency links cyberattacks to increased patient mortality.
“Rather than use custom-built tools to encrypt the files of victims like many ransomware groups, THT’s characteristic tactic of abusing legitimate tools like Microsoft BitLocker and Jetico’s BestCrypt makes them unique among threat actors,” HHS wrote.
THT’s use of those “living off the land” tools – including BitLocker and BestCrypt – makes detection more difficult.
The group’s methods suggest possible connections with other threat actors such as DeepBlueMagic and various Chinese hackers, including APT41, fueling speculation of an ongoing relationship, HHS wrote.
DeepBlueMagic was implicated in an attack against Israeli government-owned Hillel Yaffa Medical Center, in 2021 that came amid a wave of cyber assaults targeting Israeli healthcare entities (see: More Attempted Cyberattacks on Israeli Healthcare Entities).
An attack on a French hospital in 2021 was loosely attributed to THT, based on the group’s previous use of BestCrypt and BitLocker and other TTPs also used in that incident.
THT attacks appear to be carried out by taking advantage of “poorly protected remote desktop access and targeted medium to large servers,” HHS said. The group is known to use various exploits to gain access into a victim’s network, including CVEs against vulnerable VPNs, HHS said.