Critical infrastructure verticals, such as financial services, insurance, and health care, are attractive targets for cybercriminals and APT groups. This is because of the type and amount of sensitive information they can obtain, the amount of money these organizations are perceived to have available, and the impact an attack would have.

This blog post leverages the Threat Actor Metric^™ developed by Optiv’s Global Threat Intelligence Center (gTIC) - a qualitative approach to determine an adversary or campaign’s potential risk to an organization or industry on a scale of 0 to 100. The metric considers known and assessed non-technical capabilities and intentions.

Financial Services

Due to extensive digital transactions, a large attack surface, and the impact a ransomware attack could have on financial services organizations, threat actors find this vertical an attractive target. Not only would an attack impact the organization’s revenue, but financial services organizations also host personally identifiable information (PII) of their customers, including names, addresses, social security numbers, phone numbers, email addresses, and more. PII is useful for threat actors to compose convincing social engineering attacks that can lead to the deployment of malware, exfiltrating data, and more. Clop is one notable ransomware group that has targeted this vertical.

Clop

Clop (aka Cl0p) has been active since February 2019 and is reportedly leverages an updated version of the CryptoMix ransomware from 2016. 6 suspected Clop members were arrested in Ukraine in June 2021, but the group’s criminal activities have continued. This supports Optiv gTIC’s assessment that despite government and law enforcement attention, ransomware operators have very little incentive to halt operations.

Clop ransomware operators manage their data leak website, >_CLOP^_-LEAKS. Of the 118 victims listed on Clop’s data leak site from June 01, 2022, to May 31, 2023, 17 of them (14.4%) are in the financial services vertical. In Q1 2023, Clop exploited CVE-2023-0669, the GoAnywhere vulnerability, to reportedly target 130 organizations. The group focused on stealing and holding data for ransom. This attack was similar to the Clop attack targeting Accellion FTA vulnerabilities in 2021. In Q2 2023, Clop operators exploited CVE-2023-34362, the MOVEit Transfer MTF solution vulnerability, to target hundreds of organizations. Initial access vectors vary depending on the Clop affiliate. Methods observed include phishing attacks, vulnerability exploitation, weak passwords, and exposed RDP.

Image

Figure 1: Threat Actor Metric^™ score for Clop Ransomware

Insurance

Insurance organizations often store large amounts of PII, conduct digital transactions, and have 24/7 available staff. APT and cybercriminal groups are attracted to this type of information and attack surface. Nearly every person needs some type of insurance and must provide PII that threat actors could leverage in convincing social engineering attacks. APT34 is one APT group found to target the insurance vertical.

APT34

APT34 (aka OilRig, IRN2, Helix Kitten, Cobalt Gypsy) is a state-associated threat group in operation since at least 2014 with attacks attributed to them dating back to 2012. The group is most known for sophisticated social engineering scams designed to enable initial access. Their motivation is believed to be establishing access to target networks, conducting supply-chain compromise, and moving laterally to other targets. APT34 has been associated with destructive wiper attacks against the energy and industrial control systems (ICS) industries.

In 2022, APT34 reportedly conducted a campaign leveraging multiple payloads to harvest credentials from targeted victims across multiple verticals in the Middle East. It is likely that APT34 has gained access to more organizations, including insurance organizations, and then offered that access to other threat groups. These attacks would likely be attributed to the other groups conducting the activity, rather than APT34.

Image

Figure 2: Threat Actor Metric^™ for APT34

Health Care

Health care organizations typically cover a diverse range of specialist fields and maintain multiple geographical locations for separate clinics and hospitals. A single organization can have thousands of workstations, specialized medical devices, specialist software, and mobile and cloud-based services. Multiple employees and volunteers with generic or shared credentials can use these workstations. Such factors create a large attack surface for threat actors to target and obtain sensitive information. The BianLian ransomware group has notably targeted health care organizations.

BianLian

BianLian ransomware, which has been active since at least July 2022, is written in Go, Google’s open-source programming language. BianLian likely gets its name from the ancient dramatic art originating from China, where performers quickly alternate costume face masks “in the blink of an eye”—possibly alluding to the speed of a ransomware attack. The operators are known for double extortion attacks and leverage a custom toolkit, including homemade encryptors and encryption backdoors. The group appears to extensively research their victims in order to tailor the threats. Initial access vector includes vulnerability exploitation, remote desktop protocol (RDP), and weak credentials. The group has been observed dwelling on a victim network for up to 6 weeks prior to stealing data and encrypting files.

In April 2023, BianLian named a U.S.-based ophthalmology provider on their data leak site and claimed to have stolen 170GB of files, including health information of patients, financial data of the practice, and human resources files. The incident was reported to HHS and reportedly affected nearly 36,000 patients. In May 2023, BianLian listed 4 U.S.-based health care providers on their data leak site. These included a clinic provider, an oncology provider, an ENT specialist, and a non-profit offering health care services to intellectually disabled adults and children. The group claimed to have stolen hundreds of GB of files, including patient data, employee data, financial data, and more.

Outlook

Despite government/law enforcement attention on ransomware operations and facilitators, there is currently little motive for ransomware operations to cease. Ransomware operators have continued to operate and adapt throughout 2022 and into 2023. They are assessed to focus on continuing to build infrastructure and capabilities around themselves as one-stop shops, with less reliance on marketplaces and forums. This includes a shift from encryption to the theft of data that is stolen and held for ransom. Both Clop and BianLian operators have been observed conducting attacks in this manner, which makes the attack faster and still gives the threat actors leverage to begin negotiations.

Optiv’s gTIC assesses with Moderate Confidence that state-sponsored adversaries will increase the use of destructive wiper malware and ransomware as part of their campaigns over the next 12 months. Although the overall probability of a targeted state-sponsored attack across all verticals and organizations is Unlikely, the financial services and health care verticals have a historical record of being targeted by state-sponsored APT groups.

There’s More

APT and ransomware groups targeting the financial services, insurance, and health care verticals is not new news, but if you’re interested in learning how this all ties together, how these groups overlap, and how protecting your organizations from one of these threats helps mitigate the threat from the others, check out our whitepaper vertical series: gTIC Vertical Series: Financial Services, Insurance, & Health Care.