by Kapua Iao
Article filed in

Healthcare malware attack caused by Russian intelligence

by Kapua Iao

Computer screen with a world map and a lock in front.

In 2017, malware crippled Heritage Valley Health System (HVHS), which has various facilities in western Pennsylvania, parts of eastern Ohio, and the panhandle of West Virginia.

In the short term, the attack impaired HVHS’ ability to provide normal patient care. And in the long term, authorities have discovered that the threat actors damaged more than just a single organization.

This assault appears to be part of a wider strategy by Russian nationals to systematically breach computer systems worldwide.

What happened

The original attack on HVHS occurred on June 27, 2017. Malware (or malicious software) rendered computer systems inaccessible at two hospitals, 60 physician offices, and 18 satellite facilities.

The affected systems contained protected health information (PHI) from patient lists, medical history and physical examination files, and lab records. Thankfully, there was no evidence that the cyberattackers stole or exfiltrated PHI.

RELATED: Is a Name PHI?

Access to critical functions (e.g., cardiology, nuclear medicine, radiology, and surgery) were unusable for a week. In fact, HVHS had to reschedule some surgeries.

In the official 2017 statement, HVHS president Norm Mitry declared:


Through regular mock disaster drills the leadership, physicians and staff train to maintain quality care delivery in any situation. During this time we implemented downtime procedures until systems could be restored.


According to the Justice Department, the breach cost HVHS $2 million to recover.

Conspirators from the Russian Main Intelligence Directorate carried out these attacks. There is no indication that HVHS was specifically targeted.

Global, systematic cyberattacks

According to the October 19, 2020, federal indictment, six hackers and their co-conspirators “deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).”

One of the defendants was also previously charged for interference with the U.S. 2016 presidential elections.

The indictment lists the conspirators as undermining, retaliating against, or otherwise destabilizing computer systems:

  1. 2015–2016 Ukrainian government and other critical infrastructure – malware (BlackEnergy, KillDisk, and Industroyer)
  2. 2017 French presidential elections – spear phishing
  3. 2017 businesses worldwide (including HVHS) – malware (NotPetya)
  4. 2018 efforts to hold Russia accountable for Novichok (nerve agent) attacks – spear phishing
  5. 2018 PyeongChang Winter Olympics – spear phishing and malware (Olympic Destroyer)
  6. 2018–2019 Georgian companies and governmental entities – spear phishing

Cybersecurity professionals tracked these conspirators to even more ransomware such as Sandworm Team, Telebots, Voodoo Bear, and Iron Viking.

RELATED: The Costs of Ransomware Attacks

NotPetya hit several businesses worldwide, along with HVHS, on June 27, 2017. The malware (technically not ransomware) encrypts everything and severely harms a computer’s hard drive. Moreover, its most damaging aspect is the ability to spread on its own.

RELATED: Our Thoughts on Petya and Future Ransomware Variants

Combined losses from the three known NotPetya attacks totaled $1 billion.

What does the indictment mean?

Within the U.S. indictment, the court charged the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.

The men, however, are unlikely to be extradited to the U.S. to face the charges.

Rather than focus on this, however, the case could instead become a deterrence to others as well as a means to hold Russia and hackers worldwide accountable for their actions.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said John C. Demers, Assistant Attorney General for National Security.

And finally, the indictment could perhaps be used as a learning device for organizations to combat future nation-state cyberattacks—particularly now, as international professionals and organizations have joined together to fight growing malware attacks during the pandemic.

RELATED: Report Warns of Imminent Cybersecurity Threat to U.S. Healthcare Providers

Learning how certain attacks and malware are connected will only provide a means to block them in the future.

How can healthcare organizations protect themselves?

The main question is: How can healthcare organizations protect themselves against malware and nation-state cyberattacks?

Ultimately, the best cybersecurity strategy will always include multiple layers:

Paubox Email Suite Plus employs a strong email filter to stop the onslaught of inbound phishing emails and malware from entering any system through an inbox. And our ExecProtect feature helps protect against display name spoofing.

Don’t let your employees or your organization become a victim of a breach, especially one caused by another nation maliciously. Use the right tools and knowledge to build strong cybersecurity today.

Try Paubox Email Suite Plus for FREE today.