The Untold Story Of A Massive Hack At HHS In Covid’s Early Days

With an historic crisis sweeping the country, the episode seemed unremarkable and immediately receded from public view. But the department knew at the time that the attack represented a serious and unusual cyberthreat, according to two officials involved in the response: former Chief Information Officer Jose Arrieta and former Chief Information Security Officer Janet Vogel.

Arrieta and Vogel say they decided to speak on the record because they believe public discussion of the attack will help the government prepare for cybersecurity threats. Five other current or former US officials involved in the government’s response provided additional details, but asked not to be identified to avoid professional repercussions. has also viewed internal HHS documents related to the investigation.

Some of the officials describe the attack as an attempt by a state-level actor to break into the department managing the US response to Covid-19 just as HHS’s IT staff was temporarily loosening security so that its more than 80,000 employees could log in remotely. The attackers used a common technique called a distributed denial of service (DDoS) attack, where hackers disrupt a computer network by flooding it with traffic.

A DDoS attack isn’t usually the signature of sophisticated hackers; it’s sometimes likened to vandalism. The HHS attackers did distinguish themselves, though, by sheer scale. They sent billions of fraudulent connection requests, making the incident in March 2020 the largest DDoS attack the US government had ever experienced, according to the documents reviewed by . It was the culmination of a series of attacks that began the previous October, an unusually long time for a DDoS campaign.

The duration and scale of the activity led Arrieta, Vogel and others within the government to believe the hacking campaign was a smokescreen for a state-sponsored probe of computer networks associated with the US’s pandemic response, possibly to set the stage for future incursions. “It was clear that our network had been mapped and that there was an understanding of different areas within our network,” says Arrieta. “They understood where large data repositories were, and they were actively seeking to gain some type of information from those environments.”

In a statement, a spokesperson for HHS acknowledged the attack, repeating Azar’s initial statement that “no HHS systems or data were compromised.” The statement added that HHS has invested heavily in security and that it “immediately deployed additional security protections to guard against future attacks.” The department referred further questions to its Office of Inspector General, which conducted its own investigation into the attacks. An official there said in a statement that OIG, working with Ukrainian law enforcement authorities, had linked the attacks to an organization and at least one person connected to Ukraine, though it’s unclear whether it had concluded that the attack originated there or just involved Ukrainian people or equipment.

Arrieta, Vogel and two of the officials believe the scope, complexity and timing of the attacks point to China. “I am confident and believe that this attack was a nation-state effort that was perpetrated by the CCP,” says Arrieta, referring to the Chinese Communist Party.

HHS-OIG’s official investigation didn’t reach a conclusion about China’s involvement. But the US government was investigating other cyberattacks it suspected were related to the pandemic. In the spring of 2020 the Cybersecurity and Infrastructure Security Agency warned of cyberattacks exploiting the pandemic for espionage purposes; that May, CISA and the FBI said they were investigating a significant number of attempts by China to steal data related to Covid-19 research. Two months later the US Department of Justice indicted two Chinese Ministry of State Security hackers for attacking a wide range of organizations, including companies developing coronavirus vaccine testing technology and treatments.

In the first months of the pandemic, hackers tied to Russia, Iran, Vietnam and North Korea also sought information pertaining to the coronavirus, according to cybersecurity experts. “It was the most exigent crisis for every government on Earth, and they needed answers and that’s what these hackers are for,” says John Hultquist, chief analyst for Alphabet Inc.-owned Mandiant Intelligence. “There’s not an intelligence agency on Earth that didn’t get in on this.”

Tensions between the US and China have remained high over a range of issues, although US President Joe Biden and Chinese President Xi Jinping met in November in California, in talks that Biden later described as some of the most productive he’s had with Xi. In an emailed statement, a spokesperson for China’s Foreign Ministry said the country has always opposed “all forms of cyberattacks in accordance with the law,” adding that China has been the victim of cyberattacks and that Beijing “opposes politicizing cybersecurity issues and smearing other countries without factual basis.”

To Robert Kadlec, who was assistant secretary for preparedness and response at HHS from 2017 to 2021, it’s significant that the attacks started earlier than December 2019, when the Chinese government has said Covid-19 began spreading in the country. Kadlec conducted an investigation into the pandemic’s origin for former North Carolina Republican Senator Richard Burr, in which he concluded that the virus likely emerged as early as October. This could explain why the hacks on HHS began that same month, he says. “What was the intent of the cyber activity?” asks Kadlec, who said in his report that the pandemic most likely emerged from a lab accident, a theory that divides the US intelligence community. “Was it to try and break in and see what we know? Or was it to impede or affect our ability to conduct HHS activities, maybe even response activities?”

Information about the HHS attacks may help experts understand the unexpected form that state-backed cyber operations can take. In October 2019 hackers used a network of infected computers known as a botnet to send more than 300 million bogus requests to HHS systems per day, a huge increase over normal traffic loads, according to Arrieta and one of the former officials. The botnet grew to over 1 million machines and continued sending hundreds of millions of daily fraudulent connection requests for months, hitting 6.4 billion on March 15. Arrieta’s decision to blunt the attack by temporarily disconnecting HHS’s network is what led to the outage that day.

While DDoS attacks are generally intended to paralyze a network, bombarding systems with fraudulent connection requests also can allow attackers to identify and catalogue the servers that respond to those requests, including the backup systems when the primary ones fail. By March, HHS investigators concluded, the attackers seemed to know exactly how the department would direct traffic to backup routes to avoid blockages.

In the hours that followed the outage, computer-generated social media accounts amplified thousands of posts about the cyberattack, according to one of the people, and a document viewed by . This kind of multipronged operation, this person says, was further evidence of a sophisticated campaign, likely conducted by a state-backed actor.

The hackers also moved on to launch narrower and more focused attacks against several HHS divisions, including the Centers for Disease Control and Prevention, the Food and Drug Administration and the National Institute of Allergy and Infectious Diseases. Investigators suspected the hackers were using what they’d learned from the earlier attacks. “It’s like a jigsaw puzzle—they had all the edge pieces and they’ve put it all together, but they don’t know what’s inside so they’re driving more and more intensely at the center,” Vogel says.

To carry out those attacks, the hackers relayed large amounts of traffic through HHS’s own network before directing it at their targets, disguising it as legitimate so it wouldn’t be blocked, according to the CTI League, a volunteer group of cybersecurity professionals formed during the pandemic to help the health-care industry respond to hacks. The group worked with HHS to address the vulnerability in its network that allowed hackers to route their attack traffic in this way.

Marc Rogers, co-founder of the CTI League and a former cybersecurity executive with Cloudflare Inc. and Okta Inc., says he concluded the attackers were laying the groundwork for future action. The ultimate goal was not disruption, but rather to potentially steal data or tamper with it to spread misinformation, he says.

Three and a half years later, it’s still not clear whether any such attacks have occurred, or whether the hackers discovered vulnerabilities in HHS’s network that have yet to be exploited. To Rogers, the attacks against HHS are a reminder that, in the chaos of a cyberattack, not everything is as it seems. The attackers “found weaknesses in HHS’s infrastructure and they were exploiting the opportunity,” he says. “If you want to get access to sensitive sources of information to steal or poison it, this is how you’d do it.”

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.