Share this article on:
The chief executive of UnitedHealth has at long last revealed the methods through which threat actors breached Change Healthcare’s systems earlier this year.
UnitedHealth CEO Andrew Witty, who is set to testify in front of a US House subcommittee on 1 May 2024, has said that threat actors managed to breach Change Healthcare’s systems using compromised credentials to access a Citrix portal.
“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” Witty said in a testimony posted by the House Energy and Commerce Committee, dated 1 May.
“The portal did not have multifactor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”
While Witty did not specify which Citrix vulnerability was abused by the threat actors to access, a number vulnerabilities were discovered last year and early this year, including several in Citrix NetScaler and a Bleed vulnerability that affected almost 36 million people.
In addition, Witty also took full responsibility for the payment of ransom to the threat actors, despite the fact the US$22 million payment was pocketed by ALPHV.
“As chief executive officer, the decision to pay a ransom was mine,” Witty added.
“This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”
The ransomware attack occurred on 21 February, resulting in the company’s systems being taken offline and leaving healthcare providers across the US without claims infrastructure, resulting in many of their operations coming to a standstill.
The attack was originally believed to have been by a Chinese state-sponsored actor but was then claimed by the now-defunct ALPHV (BlackCat).
UnitedHealth paid ALPHV US$22 million in ransom payments. However, ALPHV pocketed the money and went dark, leaving the ransomware affiliate behind the breach stranded without pay but with the stolen UnitedHealth data.
As a result, UnitedHealth was still in trouble, particularly when a second ransomware gang, RansomHub, claimed to have the data and threatened to publish it if it did not receive a ransomware payment. Not long after, the group published some data claiming the entirety of it was now for sale to the highest bidder.