In a recent testimony before the House Energy and Commerce Committee, Andrew Witty, CEO of UnitedHealth Group, provided an in-depth overview of the devastating cyberattack on Change Healthcare, detailing the methods used by the attackers and the company's response to protect critical healthcare services and data.
Method of attack
The cyberattack was orchestrated by a cybercriminal known as ALPHV, or BlackCat, who targeted Change Healthcare—a key component of UnitedHealth Group following its acquisition. On February 12, the attackers exploited compromised credentials to access a Citrix portal utilized by Change Healthcare. Notably, this portal lacked multi-factor authentication (MFA), a critical security measure. The absence of MFA allowed the perpetrator to infiltrate the system remotely and maneuver laterally within the network. This initial breach led to the exfiltration of data and culminated in the deployment of ransomware nine days later.
Witty described the attack's methodology in detail, noting, “Criminals used compromised credentials to remotely access a Change Healthcare Citrix portal. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”
Change Healthcare's response
Upon discovery of the intrusion at Change Healthcare, UnitedHealth Group took decisive action to contain the threat. “Not knowing the entry point of the attack at the time, we immediately severed connectivity with Change's data centers to eliminate the potential for further infection,” explained Witty. This swift isolation of the infected systems was crucial in preventing the malware from spreading beyond Change Healthcare to the broader UnitedHealth Group network.
The response team, including specialists from Google, Microsoft, Cisco, Amazon, Mandiant, and Palo Alto Networks, worked relentlessly to rebuild Change Healthcare's technology infrastructure. This collective effort involved replacing thousands of laptops, rotating credentials, and reconstructing the data center network and core services.
Impact and ongoing efforts
The repercussions of the attack at Change Healthcare were felt across the healthcare system, from pharmacists manually submitting claims to rural family medicine practices struggling to make payroll.
Witty expressed deep regret for the impact on patients and providers, stating, “From the moment I learned of the intrusion, I felt a profound sense of responsibility to do everything we could to preserve access to care and support our customers and clients.”
In his closing remarks, Witty reaffirmed UnitedHealth Group's commitment to bolstering cybersecurity measures and collaborating with law enforcement, policymakers, and industry partners to enhance the resilience of America's healthcare infrastructure against cyber threats.
The executive emphasized that the system restoration is progressing smoothly, with most of the impact already mitigated. The only exception is the payment processing component, which currently handles 86% of the previously managed volumes.
DarkGate Malware Leverages AutoHotkey to Bypass Smartscreen
Leave a Reply