'Ransomware' attack hit U.S. medical devices, too
May 18, 2017
by Thomas Dworetzky, Contributing Reporter
Another shoe appeared to have dropped in the possibly-North-Korean-tied WannaCry ransomware attack: beyond PCs, it looks like actual medical devices may have been infected, as well.
A report in Forbes magazine has revealed “an image of an infected Bayer Medrad device in a U.S. hospital.”
The unnamed source who had sent the image to the magazine didn't identify either the institution or the model of the Bayer machine. But, according to the magazine, it looked to be a Bayer power injector.
Bayer confirmed to the publication that two reports from U.S. customers had come in concerning devices infected with ransomware. “Operations at both sites were restored within 24 hours," the spokesperson said. "If a hospital's network is compromised, this may affect Bayer's Windows-based devices connected to that network."
The company advised customers to work with Bayer's Technical Assistance Center "to ensure continued support of contrast-enhanced radiology procedures which use Bayer power injectors."
The good news, according to Beau Woods, deputy director of Cyber Statecraft Initiative at the Atlantic Council, is that although the hacking might disable the machines, it was unlikely that patients would be put at risk. "I seriously doubt Windows is controlling any of the safety functions," he told Forbes.
He also noted on Twitter that when such infections cause medical device outages, this leads to a rise in resource needs, delays in care, and leads to more clinical mistakes. “The harm can go unseen unless you look for it," he tweeted.
The Bayer devices are the first reported cases of medical device operation impacted by ransomware, according to Forbes.
As the hacking code is further investigated by cybersecurity experts, the thinking now is that there was North Korean involvement in the attack.
As reported last week when the attack broke, the tools were first leaked by a group known as the Shadow Brokers.
Since then there has been discovery, by BAE Systems,of "multiple overlaps between the WannaCry malware and that controlled by the Lazarus Group, which the firm associated with North Korean activity,” said the magazine.
Warnings from health care firms have come out in recent days, urging clients to be on alert – and to announce that they are working on ways to protect against infection.
Another possible victim of the attack is Siemens Healthineers, although the company would not “confirm or deny reports” to Forbes.
However, it did note in an advisory issued on its website that "Siemens Healthineers recognizes that some of its customers may be facing impact from the recent major cyberattack known as "WannaCry".
“Select Siemens Healthineers products may be affected by the Microsoft vulnerability being exploited by the WannaCry ransomware," says a Siemens security bulletin. "The exploitability of any such vulnerability depends on the actual configuration and deployment environment of each product.”
In an update, Siemens Healthineers also highlighted its response in the U.K. to the attack, stating, “we have been working alongside our customers and N.H.S. Digital since we became aware of the ransomware attack on Friday afternoon. This is an emerging situation and our focus is on restoring system operation, as soon as possible, but without compromising on quality. Engineers have been working at affected sites and will remain in constant contact with customers until systems are restored.”
Since the ransomware broke out last Friday, it has spread to more than 150 countries and 300,000 machines, according to numerous reports.
“The attack, dubbed 'WannaCry', is initiated through an SMBv2 remote code execution in Microsoft Windows,” Kaspersky Lab detailed. “This exploit [codenamed 'EternalBlue'] has been made available on the internet through the Shadow Brokers dump on April 14th, 2017, and patched by Microsoft on March 14.”
The remote execution tool used to “ransom” the systems was part of the cache of hacking tools stolen from the N.S.A. and appearing online since 2016.
The N.H.S. appears to have been particularly vulnerable to the hacking because of its widespread use of the now-unsupported and vulnerable Microsoft Windows XP operating system.
A report in Forbes magazine has revealed “an image of an infected Bayer Medrad device in a U.S. hospital.”
The unnamed source who had sent the image to the magazine didn't identify either the institution or the model of the Bayer machine. But, according to the magazine, it looked to be a Bayer power injector.
Bayer confirmed to the publication that two reports from U.S. customers had come in concerning devices infected with ransomware. “Operations at both sites were restored within 24 hours," the spokesperson said. "If a hospital's network is compromised, this may affect Bayer's Windows-based devices connected to that network."
The company advised customers to work with Bayer's Technical Assistance Center "to ensure continued support of contrast-enhanced radiology procedures which use Bayer power injectors."
The good news, according to Beau Woods, deputy director of Cyber Statecraft Initiative at the Atlantic Council, is that although the hacking might disable the machines, it was unlikely that patients would be put at risk. "I seriously doubt Windows is controlling any of the safety functions," he told Forbes.
He also noted on Twitter that when such infections cause medical device outages, this leads to a rise in resource needs, delays in care, and leads to more clinical mistakes. “The harm can go unseen unless you look for it," he tweeted.
The Bayer devices are the first reported cases of medical device operation impacted by ransomware, according to Forbes.
As the hacking code is further investigated by cybersecurity experts, the thinking now is that there was North Korean involvement in the attack.
As reported last week when the attack broke, the tools were first leaked by a group known as the Shadow Brokers.
Since then there has been discovery, by BAE Systems,of "multiple overlaps between the WannaCry malware and that controlled by the Lazarus Group, which the firm associated with North Korean activity,” said the magazine.
Warnings from health care firms have come out in recent days, urging clients to be on alert – and to announce that they are working on ways to protect against infection.
Another possible victim of the attack is Siemens Healthineers, although the company would not “confirm or deny reports” to Forbes.
However, it did note in an advisory issued on its website that "Siemens Healthineers recognizes that some of its customers may be facing impact from the recent major cyberattack known as "WannaCry".
“Select Siemens Healthineers products may be affected by the Microsoft vulnerability being exploited by the WannaCry ransomware," says a Siemens security bulletin. "The exploitability of any such vulnerability depends on the actual configuration and deployment environment of each product.”
In an update, Siemens Healthineers also highlighted its response in the U.K. to the attack, stating, “we have been working alongside our customers and N.H.S. Digital since we became aware of the ransomware attack on Friday afternoon. This is an emerging situation and our focus is on restoring system operation, as soon as possible, but without compromising on quality. Engineers have been working at affected sites and will remain in constant contact with customers until systems are restored.”
Since the ransomware broke out last Friday, it has spread to more than 150 countries and 300,000 machines, according to numerous reports.
“The attack, dubbed 'WannaCry', is initiated through an SMBv2 remote code execution in Microsoft Windows,” Kaspersky Lab detailed. “This exploit [codenamed 'EternalBlue'] has been made available on the internet through the Shadow Brokers dump on April 14th, 2017, and patched by Microsoft on March 14.”
The remote execution tool used to “ransom” the systems was part of the cache of hacking tools stolen from the N.S.A. and appearing online since 2016.
The N.H.S. appears to have been particularly vulnerable to the hacking because of its widespread use of the now-unsupported and vulnerable Microsoft Windows XP operating system.