UnitedHealth hackers used stolen Citrix credentials, CEO says


The massive hack of UnitedHealth Group’s (UHG) tech subsidiary was the result of attackers using ‘compromised credentials to remotely access a Change Healthcare Citrix portal,” according to UHG CEO Andrew Witty.

Witty will be testifying about the details of the February 12th ransomware attack during an Oversight And Investigations Subcommittee Hearing titled "Examining The Change Healthcare Cyberattack” on May 1st.

Claimed by the temporarily defunct ALPHV/BlackCat cybercriminal cartel, the attack crippled the conglomerate’s claims and payment systems, paralyzing hospitals, medical practices, health facilities, and pharmacies coast to coast for nearly a month– and triggering the hearing on Capitol Hill.

ADVERTISEMENT

The testimony

The CEO’s testimony before the House Energy and Commerce Committee is slated for Wednesday at 2:00 p.m. EST in Washington, DC. A copy of Witty’s written testimony was posted to the panel's website on Monday.

The hearing agenda is slated to focus on what happened in the lead-up to the attack (reported by the company on February 21st), as well as the impact it had on individuals, providers, and critical access for patients.

“Our company alone repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year... I would not wish a cyberattack on anyone.”

United Health Group CEO Andrew Witty on the Change Healthcare February 12th ransomware attack

According to Witty’s testimony, ALPHV/BlackCat was able to gain remote access to systems using stolen login credentials to the company’s Citrix portal that did not have multi-factor authentication set up on the account.

Citrix is a widely known software application used to enable remote access to desktops.

“Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data,” Witty said.

The actual ransomware was deployed nine days later, Witty said, fully encrypting the network.

ADVERTISEMENT
Citrix platform 750
US cloud computing company Citrix Systems. Image by T. Schneider | Shutterstock

"Not knowing the entry point of the attack at the time, we immediately severed connectivity with Change’s data centers to eliminate the potential for further infection," Witty’s testimony states.

The CEO said that although shutting down Change systems was "extremely disruptive," he also stressed that "it was the right thing to do."

“Our company alone repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year,” Witty revealed.

“These criminals continue to adapt and develop more sophisticated and malicious methodologies, and they have increasingly targeted critical infrastructure, including schools, government agencies, and the health care sector,” he wrote.

“These adversaries are willing to attack everything from community hospitals to pharmacies to networks like ours that enable the information exchange necessary to provide care. I would not wish a cyberattack on anyone,” Witty said.

The testimony also states that UHG has been working 24/7 with the FBI and prominent cybersecurity firms to investigate the hack.

Intel teams from Mandiant and Palo Alto Networks, as well as outside security experts from Google, Microsoft, Cisco, and Amazon, have all participated in mitigating the breach, the testimony said.

The costly aftermath

As part of the painstaking restoration process, Change Healthcare’s data center network and core services were completely rebuilt, thousands of laptops were replaced, credentials were rotated, and new server capacity was added.

ADVERTISEMENT

“The team delivered a new technology environment in just weeks – an undertaking that would have taken many months under normal circumstances,” Witty said.

As of April 26th, UHG said it had provided more than $6.5 billion in accelerated payments and no-interest, no-fee loans to thousands of healthcare providers unable to file and collect on insurance claims due to the system shut-down.

UnitedHealth Group is one of the US largest healthcare companies founded 50 years ago in Minnesota. It officially became the parent company of the health tech arm Optum Health and its software division Change Healthcare in 2022.

Change Healthcare’s platforms touch an estimated one in three US patient records, processing roughly 15 billion transactions annually, and are linked to approximately 900,000 physicians, 118,000 dentists, 33,000 pharmacies, and 5,500 hospitals nationwide, according to the Committee hearing request letter.

ALPHV/BlackCat – best known for its September 2023 attacks on Las Vegas gambling and hotel empires MGM Resorts and Caesar’s International – made off with a $22 million ransom demand, admittedly paid by UHG, the amount still unconfirmed.

Change Healthcare cyberattack ALPHV/BlackCat750

Last week, Witty revealed UHG paid the ransom to try and protect patient data, of which ALPHV/BlackCat and its many ransomware affiliates claimed to have stolen about 6TB worth.

The US Department of Health and Human Services (HHS) in March opened an investigation into possible violations of HIPAA rules, which govern the protection of patient health data.

Due to the large scope of the breach, it may be difficult for Change and UHG to stay compliant with the regulations, which could result in monetary fines and/or legal action.

Citrix makes headlines again

The hackers were at first thought to have targeted Change Healthcare systems by exploiting an unpatched critical software vulnerability known as the CitrixBleed, but Witty has since dispelled those rumors in his testimony.

ADVERTISEMENT

Prior to the ALPHV/BlackCat ransom gang attack on UHG, rival ransomware group LockBit had been taking advantage of a critical flaw in the Citrix software, which was discovered in July 2023.

A critical fix was released by the firm in October, but by then, dozens of companies using the Citrix NetScaler remote access software had already been successfully compromised, including major corporations such as Boeing, the Industrial and Commercial Bank of China or ICBC, and the international law firm Allen & Overy (A&O).

The Citrix application is widely favored in the healthcare industry to facilitate remote and onsite authentication and access critical applications such as Electronic Medical Records, imaging viewers, remote desktops, and more, according to US health law firm Hall Render, et al.

An estimated 60 credit unions, hospitals, and financial services companies had already been breached via the Citrix vulnerability by December 2023.

Researchers also found that despite the original US Cybersecurity Infrastructure and Security Administration (CISA) warnings and subsequent release of the CitrixBleed zero-day patch, hackers had already created backdoors to thousands of servers, leaving many companies vulnerable even after applying the patches.

Editors note: Original April 29th headline and article updated, cause of breach was through the use of stolen credentials, not an exploit of a Citrix vulnerability.