What we know about the Health Department website cyberattack

The attack appears to be a largely unsuccessful attempt to overwhelm the site’s servers.

The US Health and Human Services Department was the victim of a cyberattack yesterday, the agency confirmed to Recode.

Bloomberg, which was first to report the attack on Monday morning, initially described it as a hack, but updates to its story removed the word “hack,” instead referring to it as “multiple incidents of a cyber intrusion.” A subsequent ABC News story said it was actually a distributed denial of service (DDoS) attack, which is a type of cyberattack but not a full breach. A DDoS attack is more consistent with Bloomberg’s description, which said the agency’s servers were overwhelmed with millions of hits designed to slow or shut them down. Both reports said the attack was not successful and that no data was accessed.

Caitlin B. Oakley, a spokesperson for the HHS, told Recode that there was a “significant increase in activity on HHS cyber infrastructure” but that it remained “fully operational.”

“Early on while preparing and responding to Covid-19, HHS put extra protections in place,” Oakley said. “HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities.”

Meanwhile, the National Security Council confirmed to Bloomberg that there was an “incident” but downplayed its impact, adding that “HHS and federal networks are functioning normally at this time.”

“We are aware of a cyber incident related to the Health and Human Services computer networks, and the federal government is investigating this incident thoroughly,” John Ullyot, NSC spokesperson, said in a statement to Bloomberg. “HHS and federal government cybersecurity professionals are continuously monitoring and taking appropriate actions to secure our federal networks.”

In a Monday morning tweet, Washington Post reporter Ellen Nakashima said that a Department of Homeland Security source told her the attack has been “overblown” and that the site never crashed or seemingly was in any danger of doing so.

Details of the cyberattack at HHS emerged at the same time as a flurry of reports about a foreign disinformation campaign designed to spread fear during the coronavirus pandemic. Three anonymous federal officials told the Associated Press that such an effort was underway, though they did not specify which foreign entity was leading the effort. Bloomberg also reported that a recent tweet referencing a misinformation campaign from the National Security Council was related to the attack:

But it’s not entirely clear how the two incidents are related. The NSC tweet appears to be a reference to a viral text message that says President Trump is on the verge of declaring a nationwide mandatory quarantine — a rumor that the White House has denied. It also seems as though such an action by the president would not be constitutional, since there’s little evidence that a DDoS attack would result in the spread of misinformation.

An attack on the HHS during the coronavirus pandemic is probably not a coincidence, and now is obviously one of the worst possible times for an elevated level of uncertainty and fear. According to Bloomberg, officials don’t yet know who is responsible but are assuming it’s a “hostile foreign actor.”

So far, it’s hard to know how seriously to consider the threat of further cyberattacks. DDoS attacks are common as cyberattacks go, because they are relatively easy. Where DDoS attacks that flood a server with messages can be performed with a single computer, a more powerful DDoS requires a network of computers or botnets. Over the course of the past decade, these types of attacks have become increasingly popular as tools of political protest or weapons of disruption. As long as the attacker has enough bots in their arsenal, they can temporarily devastate their victim websites, which may be forced offline for hours or even days — an outcome that would have been particularly harmful in this case but, fortunately, appears to have been avoided.

While it doesn’t look as though the HHS attack did more than spread fear, cybersecurity researchers have warned of several coronavirus-related phishing campaigns and malware posing as official emails or websites from health organizations. Those threats, along with the possibility of a foreign disinformation campaign, serve as additional evidence that we’re only just beginning to comprehend the scope of the coronavirus pandemic and its consequences.