HHS Says DDoS Attack Failed to Cause Disruption

The U.S. Department of Health and Human Services (HHS) was targeted with a distributed denial-of-service (DDoS) attack on Sunday, but the agency said it did not experience any significant disruption as a result of the incident.

“HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities. On Sunday, we became aware of a significant increase in activity on HHS cyber infrastructure and are fully operational as we actively investigate the matter,” Caitlin Oakley, an HHS spokesperson, told SecurityWeek.

“Early on while preparing and responding to COVID-19, HHS put extra protections in place,” Oakley added. “We are coordinating with federal law enforcement and remain vigilant and focused on ensuring the integrity of our IT infrastructure.”

Ellen Nakashima, a national security reporter at The Washington Post, learned that the HHS’s website never actually crashed as a result of the attack, which her sources described as a 2 on a scale from 1 to 10.

Bloomberg, which first reported on the incident, learned from sources that a tweet from the National Security Council (NSC) about fake text messages warning of a national quarantine was also related to the “hack.” Bloomberg also initially used the term “cyber intrusion,” but later removed it from the body of its article — it still appears in the subheadline at the time of writing. It’s worth noting that mainstream media often confuses DDoS attacks with breaches.

According to some reports, the attack may have been launched by a foreign threat actor and its goal was to undermine the HHS’s response to the COVID-19 crisis. However, this theory has not been confirmed and experts have cautioned that it’s too early in the investigation to make these types of claims.

“We should not jump to conclusions and assume the attack was nation state affiliated,” Rick Holland, CISO and VP of strategy at Digital Shadows, told SecurityWeek. “Incident response takes time, and as this just occurred last night, more time for investigations will be required. Based on reporting, this appears to be some sort of denial of service attack and the barrier to entry for DOS attacks are low.”

Other experts, however, pointed out that even DDoS attacks can have serious consequences and they could precede more sophisticated attacks.

“DDoS attacks are not sophisticated, but the timing of the attack and potential motive raises significant concern,” Stephen Boyce, principal consultant at the Crypsis Group, said via email. “The goal of these attacks is to prevent legitimate users from accessing HHS websites and systems. These attacks could also be a precursor for a larger attack that may result in data access and or exfiltration.”

“The most prominent targets of such attacks are institutions that are providing information to the public regarding COVID-19. These institutions include: local, state, federal, and tribal government agencies, media outlets, pharmaceuticals companies, and healthcare industries. We should expect more DDoS attacks on the institutions mentioned above and an increase in spear-phishing attacks as well,” Boyce added.

Related: Coronavirus-Themed Emails Deliver Malware, Phishing, Scams

Related: China-linked APT Hackers Launch Coronavirus-Themed Attacks

Related: COVID-19 Themed Phishing Campaigns Continue