Security news that informs and inspires

Stolen Citrix Credentials Led to Change Ransomware Attack


Threat actors behind the Change Healthcare ransomware attack in February were able to gain initial access by leveraging compromised credentials for a Citrix remote access portal, which didn’t have multi-factor authentication enabled. The initial access vector behind the attack was revealed in a new testimony document from Andrew Witty, CEO of Change’s parent company UnitedHealth Group, before he attends a Wednesday hearing by the House Energy and Commerce subcommittee.

The issue of compromised credentials continues to haunt organizations, especially as attackers increasingly rely on identity-centric tactics. According to Witty, the threat actors on Feb. 12 were able to remotely compromise the account for the Change Healthcare Citrix application used to enable remote access to desktops. After gaining access, they then moved laterally within the systems “in more sophisticated ways” in order to exfiltrate data. Nine days later, the threat actors deployed the ransomware. In the testimony, Witty also addressed his decision to pay a reported $22 million ransom to the attackers.

“As we have addressed the many challenges in responding to this attack, including dealing with the demand for ransom, I have been guided by the overriding priority to do everything possible to protect peoples’ personal health information,” according to Witty’s testimony. “As chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”

Witty’s testimony also sheds light on the company’s incident response procedures following the attack. After the attack occurred, connectivity to Change environments was severed. Experts from Google, Microsoft, Cisco, Amazon, Mandiant and Palo Alto Networks offered support in mitigating the attack, as well as government agencies like the Department of Health and Human Services and FBI.

“Together with our Change Healthcare colleagues, they immediately began the around-the-clock and enormously complex task of safely and securely rebuilding Change Healthcare’s technology infrastructure from the ground up,” according to Witty’s testimony. “The team replaced thousands of laptops, rotated credentials, rebuilt Change Healthcare’s data center network and core services, and added new server capacity. The team delivered a new technology environment in just weeks – an undertaking that would have taken many months under normal circumstances.”

“Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals."

Over the course of the past two months, UnitedHealth Group has slowly filled in the blanks on the many lingering questions around the ransomware attack. Most recently, Change Healthcare determined that the attackers gained access to some protected health information and personally identifiable information “which could cover a substantial proportion of people in America.” Witty in his testimony said that it will likely take several more months of investigation to fully understand what data was exfiltrated and who has been impacted.

“Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals, partly because the files containing that data were compromised in the cyberattack,” according to Witty’s testimony. “Our teams, along with leading external industry experts, continue to monitor the internet and dark web to determine if data has been published.”

One aspect that will likely be discussed further in the Wednesday testimony are the security implications behind the sheer number of hospitals, healthcare providers and patients that rely on Change Healthcare overall. The attack disrupted many of Change Healthcare’s operations, but because the company handles data, payments and claims processing for a huge chunk of the U.S. healthcare industry, it also caused massive delays for thousands of providers and pharmacies around the country.

Witty will face more questions about the ransomware attack, and its impact on the wider healthcare sector, during Wednesday’s House Energy and Commerce subcommittee hearing. A letter on April 15 from the House Energy and Commerce subcommittee leaders, including Chair Cathy McMorris Rodgers (R-Wa.), requested more information about the timeline of the attack, how the breach was detected and how impacted healthcare organizations were notified and supported. The subcommittee letter also inquired about Change Healthcare’s security protocols, including whether UnitedHealth modified its cybersecurity incident response, prevention and detection processes after acquiring Change Healthcare in 2022.

“The health care system is rapidly consolidating at virtually every level, creating fewer redundancies and more vulnerability to the entire system if an entity with significant market share at any level of the system is compromised,” according to the letter. “It is important for policymakers to understand the events leading up to, during, and after the Change Healthcare cyberattack.”