Initial Indications and Reporting: August 2023
Reassessment Trigger: Revisiting Past Events
After hearing public reports about the intentions of the adversary group, the Bunnyville Hospital recalled an incident several months earlier that hadn’t been reported to any authorities. An employee was caught bringing a thumb drive into a server room, violating organizational IT policy. This same individual committed a second violation when he connected his smartphone to his desktop workstation via a USB cable. Bunnyville Hospital terminated the employee following the second violation of IT policy.
At the time, Bunnyville Hospital did not consider the incident more than an internal matter. However, after a series of unexplained systems crashes and performance issues coinciding with the public reporting concerning UA, the Bunnyville Hospital re‐evaluated the significance of past events and filed a report.
Speculation on UA’s Potential Impact Vectors
Following the reporting of the Bunnyville Hospital event (and other reports received from an unknown number of similarly impacted entities) and considering the UA announcements, multiple independent security researchers/security bloggers speculate over potential attack vectors and resulting impacts. Some of the assertions include the ability to:
• “Own” a wide variety of internet-connected consumer devices (gaming consoles, television, digital video recorders, security systems, surveillance systems, and Voice Over Internet Protocol (VOIP) phones);
• The ability to enable the microphones and cameras on these devices;
• Use these devices in denial of service‐type attacks;
• Create a distributed supercomputer; and
• Create a cloud storage network.
Fundamentally, these researchers suggest potentially long-lasting security implications from internet-connected devices.
CISA and US-CERT Reports: Conference Room Phone Anomalies
The CISA and the United States Computer Emergency Readiness Team (US‐CERT) receive reports concerning a recent evaluation of conference room phone systems utilized by numerous organizations at all levels of the public and private sectors. The reporting indicates the phones would surreptitiously make outgoing calls on their own. There is no visual evidence of the outgoing calls as the phones do not “light up.” Employees noticed the phones were in use when making an outgoing call. The Bunnyville Hospital is looking into what number(s), if any, are being dialed from their phones, as this is occurring daily.
Key Issues
• Unbeknown to Bunnyville Hospital, a previous employee installed a trojan horse into the server preset to execute on a specific date and time.
• Researchers suggest long-lasting security implications from internet-connected devices.
• US-CERT reports show conference phones across multiple organizations in public and private sectors made outgoing calls on their own.
Scenario 2: Part 2
Initial Indications and Reporting: September 2023
September 9
Information Security Officers (ISO) at the Bunnyville Hospital have been reporting to the Bobsville emergency manager that the network is experiencing sporadic system slowdowns and degradation to administrative operations. They are unable to determine the cause and extent of the problem. They are working to try and fix the issue.
September 10
Flow analysis from several critical infrastructure providers in Bobsville at departmental levels reports functions and networks showing traffic to unknown sites at traditionally low traffic times.
September 11
On a CISA conference call, a “coast is clear” was issued on reported vulnerabilities. Bobsville and Bunnyville Hospital computer administrators are encouraged to ensure all firewall and antivirus software is current, monitor networks and websites, and install patches. Bunnyville Hospital was also encouraged to include scanning of isolated Bio-Medical Devices (BMD) networked devices. Unknown to the OIT personnel, they inadvertently shared the malware embedded in the patches onto BMD devices when they scanned the BMD devices.
September 12
Bobsville’s mayor’s office received a threat against the power utility control systems from unknown persons. The threat stated that the nuclear power plant just outside of Bobsville would suffer a hot shutdown and that the people of Bobsville would experience the wrath of a radioactive meltdown of the plant core.
September 13
At 0815 hours, the FBI was informed of a cyberattack on critical utility infrastructure throughout the nation. The Town of Bobsville has not experienced any actual Trojans or Denials of Services (DOS) on its critical infrastructure from the cyber-attack.
September 13
The Bobsville University security personnel reported that student biographic room access cards were not working. Students also report that the cards’ Personal Identifiable Information (PII) is compromised as they receive calls from credit card companies to verify information for credit card applications.
September 13, 2023, 8:20 AM
The University and local schools start reporting lights flickering, and throughout Bobsville, there seems to be the beginning of blackouts trying to occur.
Bunnyville Hospital starts experiencing network problems. Biomedical Engineering (BME) is receiving numerous calls of BMD equipment failures. Such as:
• Operating Room has problems/network delays connecting the Anesthesia Records Keeping (ARK) workstations to the ARK system server.
• Radiation Therapy cannot connect to linear accelerator servers for the Eclipse treatment planning system and Aria scheduling server.
• Unknowingly, the cyberattack shut down all BMD Access Control Lists (ACLs).
• Telemetry RNs are calling BME and reporting false data on telemetry equipment. A patient expired while a normal sinus rhythm was displayed on the screen even after the patient had expired.
The Office of Information and Technology (OIT) is getting calls about sporadic network problems. Users are calling the OIT help desk with numerous issues:
• Files cannot be located.
• There is an unknown problem.
• Connection to Microsoft Exchange has been lost. Outlook will restore the connection when possible.
Key Issues
• Threat to the power plant.
• Critical infrastructure attacks occurring nationwide.
• Student PII issues.
• Bunnyville Hospital experienced a patient’s death due to inaccurate readings from ICU monitors.
o Based on the existing threat, what should be the priority for the Bunnyville Hospital Biomedical Engineering (BME) regarding equipment misreporting?
o Based on the existing threat, what should the Bobsville emergency management program do as the threats and attacks begin?
o What is the priority of cyber preparedness, including cybersecurity, within Bobsville?
o Describe how local law enforcement and cyber threat information-sharing mechanisms, products, and other considerations should be communicated with businesses and critical infrastructure partners.
o At what point would you contact law enforcement? For situational awareness reporting?
Last Completed Projects
topic title | academic level | Writer | delivered |