The ransomware attack that hit US health tech titan Change Healthcare earlier this year was orchestrated by hackers who leveraged stolen credentials to infiltrate the company’s systems lacking multi-factor authentication (MFA).
The revelation surfaced in UnitedHealth CEO Andrew Witty’s written testimony submitted before a House subcommittee hearing today, which is set to probe the February 21 breach that wreaked havoc across the American healthcare network.
“Criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication,” Witty wrote.
“Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”
This marks the first instance UnitedHealth has shed light on the details of the breach, during which extensive health data was stolen.
Last week, it was disclosed that the hackers got away with health data concerning a significant portion of the US populace, given Change Healthcare’s pivotal role in processing health insurance and billing claims for approximately half of all US residents.
Although the specifics of the credential theft remain undisclosed, investigators are likely to scrutinize the absence of MFA as a potential Achilles' heel in the insurer’s security apparatus.
“It looks very much as though MFA would have prevented the attack chain that led to this breach,” commented Casey Ellis, founder and chief strategy officer at Bugcrowd.
The executive also emphasized the importance of securing vendor supply chains. He added that the breach suggests a possible role of opportunistic credential harvesting and resale, reflecting the Initial Access Broker business model.
“Importantly, at first blush, it appears that the software itself wasn’t the initial access issue – it could have been any remote access software with no MFA and a leaked or guessed credential,” Ellis explained.
The breach, marked by data exfiltration and subsequent ransomware deployment, led UnitedHealth to enact network shutdown measures to mitigate its impact.
While UnitedHealth admitted paying the ransom demanded by the perpetrators, identified as RansomHub, the financial toll of the cyberattack in the first quarter alone surpassed $87m, compared against nearly $100b in revenue.
“To prevent these attacks, it is critical that companies employ multi-layer defenses,” explained SlashNext CEO, Patrick Harr.
“First, use AI to prevent credential phishing and account takeover in email and other communication channels. Second, use MFA to protect against compromised credentials. Finally, use the latest AI intrusion and anomaly detection.”