North Korea Tied to CorVel’s Ransomware Attack By Jorge Alexandria - July 31, 2019
Based on information received from an anonymous source - a well known CorVel executive- digital forensic evidence seems to point to the direction that CorVel was hacked by North Korean operatives.
Let me just say, sources often fear for their jobs so we can’t name them. If a publication, such as adjustercom, banned anonymous sourcing, the truth would never be told and we would, in essence, tow the company line.
In this case CorVel’s official position last week was no public acknowledgement whatsoever. Today, it acknowledges it was a ransomware attack. In light of Corvel’s initial nonsensical denial, adjustercom continues to define the issue for our very small workers’ compensation claims community. Frankly, I don’t see the logic in keeping their computer troubles quiet. They were a victim of the North Korean regime; this could happen to even the most secured digital business operations, and they deserved our empathy.
Now on to the hack. Some of the most spectacular cyberattacks in the past 2 years have been linked to North Korea's state-sponsored hackers. A report commissioned by the U.N. Security Council asserts that Pyongyang's hackers have hauled in around $670 million in foreign currency and cryptocurrency. Tough international sanctions have made it extremely difficult, if not impossible, for North Korea to bring in legitimate funds from outside North Korea. Inside, North Korea is broke. Thus, hacking provides a reliable and vital stream of revenue into North Korea and it is an extremely lucrative operation. Unlike developed countries, which focus more on intelligence operations, the North Koreans focus their energy on cash; or rather, crypto transactions that can be incredibly difficult to trace. It's not an impossible task, as Corvel has discovered, but the process can be very complex and time consuming.
The Trump administration has made it clear that it will not lift economic sanctions against North Korea until denuclearization is achieved. This has prompted Pyongyang to increase, not decrease, bold attacks in virtual space despite ongoing diplomatic talks, and face-to-face meetings with President Trump.
The way it works is that highly trained government and skilled North Korean operatives hack corporate computer systems and infect a virus that locks you out of your devices and certain programs, like Corvels’s CareMC, and demands a ransom, usually in bitcoin payment. In return for your bitcoin payment the electronic key is given so you can regain access to your system. If the ransom is not heeded, usually at least a million dollars, then your data is destroyed or garbled beyond recognition. To not do this would make the threat an idle threat and no one would ever pay ransom.
Come to think of it, it can be a compromising situation to be in and I can see why a company like Corvel would remain quiet, as long as it had to, rather than see their stock price decline or lose prospective or existing clients. I guess one can fool some investors some of the time but not all the investors all the time.
Corvel has made unnamed critical infrastructure changes to further secure their systems and presumably the Federal Bureau of Investigations (FBI) is involved and they are in cooperation with the FBI. On Monday, July 29th 2019, Corvel President & Chief Executive Officer, Michael Combs, sent the following communique to their clients:
Dear Customer,
Last week, CorVel experienced a ransomware attack. Immediately upon discovery, all systems at CorVel were shut down and disconnected from the network in order to reduce the risk of extensive damage.
Over the past week, we have been coordinating a full-scale forensic investigation with the assistance of a team of outside experts. At this time, we are confident that specific threats have been identified, contained and counter-measured. We have also implemented additional advanced endpoint monitoring tools to monitor for the identified, and unknown threats as our remediated systems are incrementally brought back online.
Due to the capabilities of some malware, we recommend that our customers remain vigilant to protect against the threat of potential phishing e-mails. At this time, all known indicators of compromise have been contained and continue to be monitored for throughout the CorVel environment. We have also made critical infrastructure changes to further secure our systems.
Our experts are informing and cooperating with the FBI.
Although the North Korean government has long denied any wrongdoing in these types of computer cases, it is a virtual guarantee ransomware attacks by the North Koreans will continue as they have primarily in Germany, Turkey, the United Kingdom and others parts of the United States on the corporate world. The White House unabated with a photo hung on a White House wall of the man whom President Donald Trump has called “my friend” – North Korean leader Kim Jong Un.
As of this writing, CorVel is up and running normally. Employees are now able to network from home.
Jorge Alexandría is a former U.S. Government official (Labor Dept.) and an Army veteran who received his B.A. in Political Science from Cal State Los Angeles. He also graduated from Cal Poly Pomona with a Master’s Degree in Public Administration. He has more than 20 years of experience in claims handling, supervision, and risk management.
He can be reached at Riskletter@mail.com. Any views and knowledge expressed in this article belong to Jorge Alexandria alone and do not represent any other organization or person.
Published by adjustercom and Lonce Lamonte (lonce@adjustercom.com), all rights reserved. www.adjustercom.com.
Facebook: www.facebook.com/adjustercom
Twitter: @loncelamon
|