Watching the Watchdog: Learning from HHS' Grant Payment MessTight-Lipped Agency's Next Move in Wake of $7.5M Scam Could Be Telling
Even for the federal government, losing $7.5 million to cyberattacks is a big chunk of cash. Speculation is rampant over how hackers last year managed to filch millions in grant payments from the U.S. Department of Health and Human Services.
One take is that the attackers must have used AI-augmented spear-phishing techniques. Others say the heist could have been the result of a well-worn financial fraud scam.
Public scrutiny is always high when it comes to federal waste, fraud and abuse. HHS also ironically issued guidance on Wednesday spelling out "cybersecurity performance goals" for the rest of the healthcare sector. So, it's not a good look when HHS, the agency charged with being a watchdog agency over cybersecurity and privacy in the healthcare sector, is itself hacked. The whole industry is watching.
The department did not disclose the incident to the public but vaguely acknowledged it when pressed by the media after Bloomberg first reported on it last week.
HHS said it had notified its own watchdog agency, the Office of Inspector General, about the "matter" and a predictable demand for an inquiry by members of Congress is almost sure to follow (see: Report: Hackers Scammed $7.5M From HHS Grant Payment System).
Little is known publicly about the compromises at HHS, which occurred between late March and mid-November 2023, when attackers targeted the payment system for disbursing grants. Hackers withdrew millions of dollars intended to be awarded to five accounts, including money meant to support rural communities and underserved patients, according to Bloomberg.
Just Another Run-of-the-Mill Scam?
What could be even more embarrassing for HHS is that there's a strong possibility the agency and its grant recipients were victims of one of the oldest and most pervasive forms of financial fraud - business email compromise.
Mike Hamilton, co-founder and CISO of security firm Critical Insight, said he's seen similar incidents including an $800,000 theft from a charity that began with compromising the credentials of at least one employee. The attacker elevated privileges, surveilled internal email accounts, assumed the identity of the person working with the city on funding, and emailed the agency to change the routing number of the bank for deposit.
Hamilton said he suspects the HHS theft started with email account hacks at the five grant recipient organizations.
"That's not spear-phishing - that's an authorized piece of email coming in to the government funding agency from an account that is familiar - no bells going off - and asking for a password reset," he said. "Pretty sure when the investigation is done that's what we'll find out that it was -run-of-the-mill business email compromise."
While there's no foolproof solution to these scams, risks can be mitigated. Business email compromise is nothing new. "The government agencies that handle funds distribution need to be trained in proper process for help desk, financial transactions, etc., and use reverse contact and other methods to completely authenticate the individual making the request for change," Hamilton said.
Let's Just Blame AI
It's possible that someone fell prey to one of the latest AI-aided phishing emails that uses ultra-convincing phishing email campaigns created with generative AI tools that HHS warned the entire healthcare industry about in October.
There's no question that AI-augmented phishing and social engineering attacks will make fake emails seem even more realistic, said Keith Fricke, a partner at privacy and security firm tw-Security. Cybercriminal groups will soon start offering AI as a service to masses of hackers, he said.
"Audio recordings simulating requests by C-level folks will trick people into changing passwords, phone numbers of multifactor authentication texts, and even directing people to authorize wire transfers of money," he said.
It really doesn't matter if AI had a hand in it or not. Phishing emails have been pretty effective even without AI. As Hamilton observed, "We all have cognitive biases, our media literacy is poor, and we are predisposed to believe things that confirm our existing worldviews. All these facts aid those that seek to fool us."
Not even multifactor authentication is a foolproof hedge.
Nowadays, Hamilton said, many phishing links activate scripts that strip the session token and automate the process of obtaining the second factor. The link itself is dangerous, not just the act of entering credentials into a fake login page, he said.
Ironically, AI-based email threat protection tools are pretty effective in determining whether an email is legitimate and free of malware and dangerous links. But Hamilton said that unless the organization inspects every message, it's up to the employees to spot suspicious emails.
This means the healthcare sector must step up its game, including training, to raise awareness of how AI is part of the phishing equation, Fricke said.
"Worker training must happen more frequently, with examples of phishing messages. Organizations need to work with the vendors supplying email filtering services to understand how the vendors are improving their detections and quarantine technologies," he said.
Time for Transparency
Right now, no one outside of HHS knows if the HHS grant payment workers targeted in the fraud schemes had adequate training, the right procedures in place and adequate cyber defenses.
And that may be the biggest point of irony of all - the lack of transparency to date.
For many years now, hospitals, medical groups and their business associates have been hammered by ransomware attacks and data thefts affecting the personal information of hundreds of millions of patients. HHS takes enforcement action in major data breaches - including in December levying the first fine originating from a phishing incident.
HHS partners with other agencies to share guidance on managing risks and ensuring the right security controls. And a major tenant of that program is information sharing. HHS encourages health sector organizations to share cyber information with the Health-Information Sharing and Analysis Center, as well as with CISA when an incident occurs.
So, this payment hack will be a big test of HHS and the federal government. Will they set an example of openness and information sharing, as they encourage others to do? Will the facts be embarrassing? No doubt. Will it affect careers? Possibly.
I've been covering HHS for many years, and I know there are plenty of people there who want to do the right thing, but it often takes a long time to get there. We'll be watching to see how long it takes for HHS to share more details and what lessons we can learn from this $7.5 million fiasco.