Published: January 13, 2024 on our newsletter Security Fraud News & Alerts Newsletter.
A SIM swap attack targeting an Advarra medical research exec recently put the company’s data security at risk. The company, a provider of medical research and clinical trial assistance, experienced the data breach by the ransomware group ALPHV, aka BlackCat. It’s believed the ransomware threat group specifically targeted the victim for his phone number and was not a random attack.
Healthcare is one of the top industries targeted by ransomware groups for its data-rich environments. Threat actors prefer this industry due to the highly sensitive nature of the data and the fact that healthcare victims are more likely to be insured against cyberattacks. Both reasons provide a history of supporting a quick ransom payout for attackers. ALPHV is now threatening to sell the 120 gigabytes of pilfered data.
SIM Swap Attacks
Also called SIM-jacking, these attacks get control of a target’s phone number allowing hackers to steal authentication codes used for secure account access. Having the one-time code gives them access to a victim’s accounts where they can change passwords and logins and access data stored there. SIM swapping is considered a type of account takeover (ATO) since the victim can no longer access the account and its contents.
How It Happened
It’s believed ALPHV group convinced the victim’s phone carrier to move the hijacked number to another carrier and new SIM under attacker control, a common SIM swap tactic. The group then accessed and copied Advarra’s data, threatening to sell it if their ransom demand isn’t paid. In response, the company says they don’t “pay digital terrorists.” Although Advarra doesn’t say where the employee’s phone number was obtained for the targeted attack, it’s been used to access their work, LinkedIn, and other accounts.
BOLO And More
As proof of their ransomware attack, ALPHV released the PII belonging to one of Advarra’s clinical trial members. It’s a reminder that when PII ends up in the wrong hands it can be used for targeted phishing attacks against victims affected by a data breach of any kind.
Hackers also troll social media, including career-related sites like LinkedIn, for PII they can use for targeted strikes, so limit or completely steer clear of posting PII online. Also, if you have an option, avoid getting MFA (multi-factor authentication) codes in texts and calls when possible, and use an alternative source for MFA such as an authenticator app or hardware security key to verify your identity.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com