UNC1878 Continues to Infect Hospital Networks

8 February 2021

Last October, a threat actor known as UNC1878 made headlines for a widespread criminal campaign targeting the healthcare industry (and other organizations) around the world.

Over three months have passed since this group’s activities became widely known, yet in spite of high public awareness, many of UNC1878’s victims remain actively compromised to this day.

Prevailion’s APEX Platform continues to observe active beaconing by UNC1878 malware from prominent hospitals and healthcare providers in the United States, as well as other countries. These unmitigated compromises are concerning due to the sensitive nature of hospital networks.

Ongoing UNC1878 activity in a southern US hospital. (Source: APEX)

Due to the high level of persistent malware beacon activity observed, these healthcare organizations are at risk not only of an imminent encryption attack by Ryuk or other ransomware families, but they are also at risk of ongoing data exfiltration by this Russian threat actor.

The APEX Platform has also observed active beaconing by as yet unidentified malware or toolkits deployed by UNC1878 in these network environments.

Unidentified malware activity by UNC1878 in another US hospital. (Source: APEX)

Since the risks posed by UNC1878 are significant, ranging from sensitive information theft to high-priced extortion and service disruption, it is imperative for all healthcare organizations to thoroughly examine their networks for any IOCs by this threat actor.

Prevailion continues to provide free access to the APEX Platform for any organization that would like to check its own network for compromise activity by UNC1878 or other threat actors.

The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Learn More

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Learn More

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Learn More
All Resources
Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.