When Belgian hospitals are targeted by Russian cyberbombs
The damage suffered by Vivalia: 1,500 paralyzed computers and 400 gigabytes of stolen data. © BelgaImage
It’s a phenomenal breakout. On the night of Saturday May 14, Vivalia discovered the extent of the damage. 200 servers and 1,500 computers are paralyzed by a cyberattack. This care group is a very big fish, especially active in the province of Luxembourg: six hospitals, a polyclinic, four nursing homes and three crèches. The emergency plan is cancelled, communications are cut off, non-emergency consultations cancelled. Management wants to be reassuring first. The group has backups and benefits from the support of the federal Computer Emergency Response Team (CERT), in order to identify the entry points of the attack and to restart the servers as quickly as possible.
“Apart from contradictory announcements on the origin of the attack which has a lack of control (when you don’t know, you shut up!), I find their external communication rather goodjudge Axel Legay, professor at the École polytechnique of UCLouvain. They admitted to the attack and said they were called to CERT. While this federal task force usually learns about cyberattacks from the press…“According to the group, no medical data would be compromised. No ransom demand either. But a few days later, Anis Haboubi, a Belgian cyber risk expert, reveals that the attack was claimed by Lockbit 2.0, a fearsome gang of hackers who take their name from the ransomware they use. One of the most dangerous ransomware. On their blog, hosted on the darknet, the countdown has begun. If the ransom is not paid by Thursday evening, hackers threaten to distribute 400 gigabytes of stolen data on the hospital network. That’s thousands of medical records and personnel information. A bomb of confidential data.
A flaw known for 6 months
“Given the extremely sensitive nature of this data, a legal audit under the GDPR (the General European Data Protection Regulation – Editor’s note) will not be sufficient, continues the man who also heads the Walloon cybersecurity consortium CyberWal. This hospital network is going to have to have a solid conversation with us, the CERT, but also the companies that test the security of its infrastructures..” How did these hackers get into Vivalia’s computer system? Anis Haboubi gives us his hypothesis. “This is the flaw that I found in their infranet, their computer equipment.“This is a vulnerability that weakens the Microsoft Exchange program. A flaw known since… October 2021 and for which the American giant has since offered a fix. “This is what happens when you leave servers vulnerable. However, companies have been attacked via this front door for months…“However, this does not surprise Axel Legay. “This is an old flaw for us but not for a public institution whose reaction time is unfortunately much longer.”
Do these hackers really have in their possession this ultra-sensitive and high commercial value database (a medical file sells for up to 250 dollars)? It’s very likely. “Two screenshots have been released, says Damien Bancal, a former French cybergendarme and international specialist in data leaks. Nothing 100% conclusive, but I can tell you that when this gang threatens, it means it has material.“But who is behind Lockbit 2.0?
Political agenda
This gang gave an interview to a Russian-speaking YouTube channel. “An interview whose political connotations are clear, says AdvIntel, an American specialist in cybercrime. In particular on the choice of victims, the reflection of the geopolitical agenda. Their rhetoric bears obvious similarities to the political message propagated by the Russian state.” This is also confirmed by the information available on the gang’s darknet. In the terms of use of their virus, the hackers specify that “this one does not work in ex-USSR countries”. If we know little about this cybercrime syndicate, it is not unknown to our police services either. This group had already claimed responsibility for the attack on the Bar of Charleroi in October. The ransom had not been paid and thousands of files had been balanced. On the Lockbit 2.0 hunting board, hosted on the darknet, we discover half a dozen other Belgian victims, including a real estate company, a metallurgical group, two tax expertise companies and even a city in East Flanders.
a computer and a suite of software specially configured to since guarantee our anonymity and our security, we tried to contact this gang of hackers. Via Tox Chat encrypted messaging, a popular means of communication for cybercriminals. Without success. But we took advantage of this very special workstation to download files from the Lockbit 2.0 darknet. These are the files balanced by the collective when its victims do not pay the ransom. We continued the operation for three companies hacked by this gang and the files consulted (credit card statements, expense reports, technical sheets, customer information, etc.) seem authentic to us.
20% of the loot
However, let us remain cautious. Faced with the refusal of certain companies to give in to blackmail, the data published by this group, sometimes cybercriminals, has proved to be of low level of sensitivity. And the list of hunts exhibited by hackers also serves as a marketing campaign. Like other cybercrime syndicates, Lockbit 2.0 indeed sells its ransomware to other hackers. “Our program is the fastest encryption software in the worldaffirms the collective, comparative table to the key. The only one chose to do is access the central server. The ransomware will do everything else.“How much does this evil program cost? “The ransoms are fully paid to our trustees. They then pay us 20% of the sums collected“, explains the spokesperson for the union in this interview.
How much is the ransom demanded at Vivalia? The management remains silent, the file being in the hands of the federal prosecutor’s office. Given the ultra-sensitive nature of this data and the sums required by these hackers from their other victims, one can legitimately think that the sum is in the millions of euros.
Since then, the 400 GB of stolen personal data have not been published. The hackers even withdrew their threat to make them public a few hours before the end of the deadline, postponed to last Saturday. Does this mean that Vivalia paid the requested ransom? The question, hypersensitive, remains open. But, even if few experts dare to say it, they think it to themselves: the care group had an interest in giving in to blackmail to avoid the consequences – in particular linked to non-compliance with European legislation in the matter – of a leak. also massive amount of personal data, especially if the origin of the attack is indeed on a fault which should have been corrected six months ago. Remember all the same that it is an intermunicipal company and that the ransom, if it has been paid, will have been paid with public funds. It should also be remembered that several international sanctions regimes prohibit any payment of funds to a blacklist of countries… Including Russia.