The Good, the Bad and the Ugly in Cybersecurity – Week 29

The Good

This week, an aeronautics firm with contracts with NASA, the U.S. Department of Defense, and other federal agencies agreed to pay $9 million USD in a settlement after a whistleblower alleged the firm misrepresented its cybersecurity compliance stances for key federal government contracts.

According to a statement from the U.S. Justice Department, the firm in question, Aerojet Rocketdyne Inc., was facing allegations that their misrepresentations violated the False Claims Act, which makes people and organizations that defraud government programs liable for their claims. The False Claims Act also includes whistleblower provisions that permit a private party to file a lawsuit on behalf of the U.S. and receive a portion of any recovered funds.

Source: U.S. Department of Justice

In this specific situation, Brian Markus, a former Aerojet employee brought these claims to court and reached a settlement by the trial’s second day. In the statement, the U.S. Attorney for the Eastern District of California celebrated the settlement, saying, “The qui tam action brought by Mr. Markus is an example of how whistleblowers can contribute to civil enforcement of cybersecurity requirements through the False Claims Act.”

This settlement comes as welcome news to the Justice Department’s Civil Cyber-Fraud Initiative, which was established to hold people who put U.S. systems and data at risk. It also demonstrates how both individuals and governments are taking cybersecurity compliance seriously, and taking steps to create a more secure cyber landscape.

The Bad

This week, an IT solutions provider supporting 15,000 technology partners disclosed a breach that took place over the Fourth of July holiday weekend. According to the disclosure and a timeline from security experts, cyber criminals launched a “coordinated and professional” malware attack against SHI International, an MSP based in Somerset, New Jersey.

SHI responded on July 6th with a disclosure that the “incident was swiftly identified and measures were enacted to minimize the impact on SHI’s systems and operations.” On July 8th, it was working with the FBI, CISA, and a digital forensics team to investigate the attack. However, SHI found no evidence of customer data access, or that third-party systems were breached.

However, although some services such as staff email were restored to their customers and over 5,000 employees by the 6th, it took a week for SHI to recover the remainder of their system, including SHI’s website. At the time of publication, SHI has not confirmed whether they knew who the attacker was.

This attack comes on the heels of an advisory from CISA and cybersecurity-focused law enforcement in the UK, Australia, Canada, and New Zealand warning of increasing threats against MSPs, and best practices they can deploy against cyber criminals targeting these MSPs to launch supply chain attacks against their businesses and end user systems.

The Ugly

According to disclosures this week, attackers associated with the Conti ransomware gang perpetrated one of the biggest health data breaches of 2022 back in February.

Earlier this month, Professional Finance Company, a healthcare debt collection firm colloquially known as PFC, disclosed that they had suffered a ransomware breach earlier this year. PFC is known for working with organizations to process outstanding balances and unpaid bills from customers and patients for healthcare organizations.

According to disclosures from the firm filed this week and separate filings with the U.S. Department of Health and Human Services, this attack impacted more than 650 healthcare providers and more than 1.91 million patients, stealing patient names, addresses, their outstanding balances and in the worst cases, patient PII, including Social Security numbers, health insurance information, medical treatment information, and birthdays.

To make matters worse, two of PFC’s partnered healthcare organizations have also disclosed data breaches, with one firm in Delaware reporting that 17,481 patients were affected by the PFC breach, while a Texas organization claimed 1,159 patients were breached.

Conti ransomware operators have demonstrated a capacity for sophisticated cyber attacks against healthcare frameworks, as demonstrated in their operations against Ireland’s public health service. This attack is the second largest health data breach of 2022, only rivaled by a March 2022 breach at another healthcare organization. As security professionals, we can only continue to contribute our research and remind organizations to stay vigilant against the latest threats by tightening their security posture.