If you’re a seasoned watcher of cybersecurity incidents, you’ll doubtless have heard an unhappy tale that’s similar to the following story many times before.
In February 2024, hackers used compromised credentials to breach a Citrix desktop remote access portal belonging to a large company. Once inside the network, they moved laterally, opening a path for criminals to later access large volumes of highly sensitive data.
Another familiar punchline: the Citrix portal was not protected with multi-factor authentication (MFA).
Nine days later, with a hole punched in the network, the ALPHV/BlackCat ransomware group deployed ransomware that encrypted the company’s servers, causing calamitous disruption to services.
This matters because the company on the receiving end was Change Healthcare, a subsidiary of the large UnitedHealth Group used daily by millions of Americans.
“I would not wish a cyberattack on anyone”
On February 21, the day the ransomware attack was unleashed, events kicked off. Realizing it was in trouble, Change Healthcare’s first defense was to unplug itself to stop any spread to other parts of the company in the same sprawling healthcare group.
Despite not knowing how much data had been stolen – the company holds the personal health data for “a substantial proportion of people in America” – UnitedHealth CEO Andrew Witty decided to hand over the ransom demanded by the attackers: ALPHV/BlackCat.
As he put it in his written testimony in advance of the House Energy and Commerce Committee in May 2024:
“As chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”
He also revealed the full effect of the incident: thousands of laptops replaced, every credential they could think of rotated, and numerous new virtual servers spun up – essentially a refresh of a large part of the company’s IT infrastructure.
Several things happened after the payment was made. First, paying appeared to have made no difference to data being leaked, as a second ransomware group obtained it and posted samples to a dark website.
The second was that the payment set off a dispute between an affiliate that claimed its cut of the ransom hadn’t been passed on by ALPHV. Flush with Bitcoins in one of its biggest ever ransom successes, ALPHV had, ironically, damaged its credibility for good.
The worst attack ever?
Given that the attackers were able to steal the medical data of perhaps a third of the U.S. population, this attack should count as the biggest privacy disaster affecting ordinary Americans ever made public.
That’s alarming. What if the attackers had somehow spread their ransomware to other parts of the group? Remember, this is a company that controls a huge swathe of prescriptions and medical services in the country.
Things could have been much, much worse. At the very least, this is the worst cyber incident since Colonial Pipeline in 2021.
So who was at fault?
The remote access server in question was old, CEO Witty later told the Committee in his testimony, and had only become part of the company after Change Healthcare was acquired by UnitedHealth in 2022 for $13 billion. All this despite it being known that ALPHV was targeting healthcare.
Behold the first truth of all M&A: you buy a company and you buy its problems, including the cybersecurity ones nobody knows about.