WannaCry, NotPetya, and Cyberwarfare's Threat to Healthcare

Ryan Black
JUNE 11, 2018
wannacry notpetya, wannacry healthcare, wannacry NHS, ransomware hospitals

Who Perpetrated the Attacks?

Speculation that other nations were behind both of the cyberattacks began almost immediately, although their motives and mechanisms were decidedly different.

NotPetya had originated in Ukraine immediately before a national holiday, Constitution Day. The virus had been planted in M.E.Doc, a Ukrainian tax-filing program, and leapt quickly across the world, through trusted connections between companies that do business there.

Within a week, Ukraine’s counterintelligence agency issued a statement accusing Russia of the incident. The timing—just before a national day off, when it would be harder to remediate—and culprit—the country that had been not-so-discreetly meddling in Ukraine for more than 3 years—made the attribution obvious to many in the cybersecurity community.

“The main purpose of the virus was to destroy important data and to disrupt the work of public and private institutions in Ukraine to spread panic among the population,” Ukrainian intelligence wrote. The White House followed suit this past February, claiming that the attack was “part of the Kremlin’s ongoing effort to destabilize Ukraine.”

It didn’t take long to tap a suspect in the WannaCry case, either. Days after it hit, a Google researcher tweeted about elements in the malware’s code that linked it to Lazarus, a hacker group believed to be tied to North Korea. In December 2017, however, the United States and United Kingdom formally accused the hermit kingdom of launching the virus, though some experts remain skeptical of North Korea’s involvement. In a Wall Street Journal editorial, Thomas P. Bossert, JD, a White House assistant for homeland security and counterterrorism, called the attack “indiscriminately reckless.” Noting its effects on the NHS, he claimed WannaCry “put lives at risk.”

But the differences between the 2 attacks were as pronounced as their similarities. Insiders with knowledge of the incidents and the US government’s response described them to HCA in starkly different terms: WannaCry was “sloppy.” NotPetya was “elegant.” (These sources requested anonymity due to their positions and the sensitive nature of the subject.)

North Korea’s attack exploited the much-publicized EternalBlue Windows exploit, a US National Security Agency trick that the hacker group Shadow Brokers released in April 2017. In response, Microsoft broke from policy and issued patches for unsupported operating systems like Windows XP. So, it wasn’t that the world lacked an answer to WannaCry, it was that, as usual, the patches went widely ignored.

NotPetya was decidedly more intricate, according to experts, and its spread was better calibrated. It didn’t slam through every vulnerable system. Rather, it used M.E.Doc to gain a foothold before slivering deeper into networks by impersonating users and changing permissions. And it did so quickly, although it perhaps traveled farther than intended. Both Maripuri and another expert said the virus was destined only for Ukraine, given programming features that identified location based on factors like IP address and system language. But the malware spread despite them. “Of course it escaped, right?” one expert mused. Nuance’s system, for example, became infected through a “trusted development partner” based in Ukraine, Maripuri said.

WannaCry didn’t have any geographic controls, but it might have contained an intentional ransomware component, although paying up often didn’t earn victims an unlock key. The virus’s “killswitch” was discovered almost instantly, and months after the attack, only $143,000 had been withdrawn from its associated bitcoin wallet, an unimpressive amount given the attack’s scale. And although NotPetya locked up infected systems with a ransomware interface, analysis suggests it never meant to return victims’ data. The unlock keys that it created were all destroyed as the virus spread.

The reasons both presented as ransomware, some speculated, were subterfuge and plausible deniability. Why would a nation expose its best cyberweapons when a slapdash virus like WannaCry could cause so much harm? And since companies expect to be hit by ransomware these days, why not try to blend in with all of the other criminals?

The Losses We Can’t Quantify

One day before Shadow Brokers leaked EternalBlue, the New England Journal of Medicine published a study on the effects of major urban marathons on emergency mortality rates. The idea was that delays in care caused by interrupted ambulance routes could harm patients undergoing time-sensitive medical events, like heart attacks and strokes.

The study found that patients who experienced myocardial infarction or cardiac arrest faced longer ambulance rides on marathon days—by more than 4 minutes, on average. They also suffered higher 30-day mortality rates than those hospitalized for the same reasons on nonmarathon days.

What does this have to do with international cyberterrorism? “Degraded and delayed patient care delivery affects mortality rates, period,” a cybersecurity expert told HCA. They said it wasn’t a question whether WannaCry and NotPetya killed people. It was a question of how many.

Efforts are underway to quantify the lives lost to WannaCry in the United Kingdom, where the cyberattack shut down clinics, deferring ambulances and canceling roughly 20,000 appointments, including some urgent referrals, the BBC reported. No government official or researcher has yet to publish a casualty count.

It could be difficult or impossible to quantify the effect NotPetya might have had on mortality rates in the United States. Nuance doesn’t have access to any such data, Maripuri said. But the possibility is there, given the complexity of American healthcare. Sure, the loss of transcription services wasn’t going to close emergency departments. Delayed appointments, stressed and overworked doctors, and documentation errors that led to missed diagnoses, however?

“People don’t like talking about that,” the source said. “They want to see the smoking gun: This attack killed this many people thanks to a specific flaw in a specific pacemaker. While we’re looking for CSI-level certainty, we’re ignoring public health issues. You can have material swings in mortality rates when you have the large-scale outage of something like Nuance.”

Become a contributor